Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

**Description**

user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case.

**Proof of Concept**

1 user1 send admin a greeting card1

2 user2 send admin a greeting card2

3 user1 delete his message related to greeting card1, using burpsuite hijack the request.

    POST /adm_program/modules/messages/messages.php?msg_uuid=7cd5f4ed-dedc-46c6-b4ec-3567246583ef HTTP/1.1
    Host: localhost:8080
    Content-Length: 49
    sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: http://localhost:8080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:8080/adm_program/modules/messages/messages.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: BOXCLR=e%3DdXNlcjNAdGVzdC5jb20%3D%26p%3DJDJ5JDEwJEltbDNnQXl0di8xdy5wZFpWQW9pNi40UVhsSnd3R2h5OENCT0VCYVp3ZmhGc2paU3N5UzJx; ADMIDIO_admidio_adm_cookieconsent_status=dismiss; BBLANG=en_US; ADMIDIO_admidio_adm_SESSION_ID=beedb93711a4307d7d676817daeefd7b
    Connection: close
    
    admidio-csrf-token=6amCNCtp5js7GH8g2UwyHOU88PKm2M
    

4 changing the messges uuid as the message related to card2

5 result shows success

IDORs with unpredictable IDs are valid vulnerabilities see https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html

as the uuid is hard to predicate, we mark Attack Complexity as high

**Impact**

Impact of the Vulnerability:

This vulnerability allows a user to delete messages of other users, which can result in a loss of important communication data. This can also lead to unauthorized editing or deleting of messages, causing potential security issues for the impacted users. Additionally, an attacker may use this vulnerability to tamper with the message history and cover up their tracks, making it difficult to trace any malicious activity.

CVE-2023-3304: IDOR in message  deletion in admidio

Expand Up @@ -19,7 +19,7 @@ require(\_\_DIR\_\_ . '/../../system/login\_valid.php');  
// Initialize and check the parameters $getPhotoUuid = admFuncVariableIsValid($\_GET, 'photo\_uuid', 'string'); $getPhotoUuid = admFuncVariableIsValid($\_GET, 'photo\_uuid', 'string', array('requireValue' => true)); $getUserUuid = admFuncVariableIsValid($\_GET, 'user\_uuid', 'string'); $getPhotoNr = admFuncVariableIsValid($\_GET, 'photo\_nr', 'int', array('requireValue' => true)); $showPage = admFuncVariableIsValid($\_GET, 'show\_page', 'int', array('defaultValue' => 1)); Expand All @@ -35,47 +35,43 @@ // => EXIT }  
// URL auf Navigationstack ablegen // Drop URL on navigation stack $gNavigation\->addUrl(CURRENT\_URL, $headline);  
// Fotoveranstaltungs-Objekt erzeugen oder aus Session lesen // Create photo album object or read from session if (isset($\_SESSION\['photo\_album'\]) && (int) $\_SESSION\['photo\_album'\]->getValue('pho\_uuid') === $getPhotoUuid) { $photoAlbum =& $\_SESSION\['photo\_album'\]; } else { // einlesen des Albums falls noch nicht in Session gespeichert $photoAlbum = new TablePhotos($gDb); if ($getPhotoUuid !== '') { $photoAlbum\->readDataByUuid($getPhotoUuid); } $photoAlbum\->readDataByUuid($getPhotoUuid);  
$\_SESSION\['photo\_album'\] = $photoAlbum; }  
// pruefen, ob Album zur aktuellen Organisation gehoert if ($getPhotoUuid !== '' && (int) $photoAlbum\->getValue('pho\_org\_id') !== $gCurrentOrgId) { // check if user has right to view the album if (!$photoAlbum\->isVisible()) { $gMessage\->show($gL10n\->get('SYS\_INVALID\_PAGE\_VIEW')); // => EXIT }  
if ($gValidLogin && $gCurrentUser\->getValue('EMAIL') === '') { // der eingeloggte Benutzer hat in seinem Profil keine gueltige Mailadresse hinterlegt, // die als Absender genutzt werden kann... // the logged in user has no valid mail address stored in his profile, which can be used as sender $gMessage\->show($gL10n\->get('SYS\_CURRENT\_USER\_NO\_EMAIL', array('<a href="'.ADMIDIO\_URL.FOLDER\_MODULES.'/profile/profile.php">', '</a>'))); // => EXIT }  
if ($getUserUuid !== '') { // usr\_id wurde uebergeben, dann Kontaktdaten des Users aus der DB fischen // UUID was set than read contact data of this user $user = new User($gDb, $gProfileFields); $user\->readDataByUuid($getUserUuid);  
// darf auf die User-Id zugegriffen werden // check if the current user has the right communicate with that member if ((!$gCurrentUser\->editUsers() && !isMember((int) $user\->getValue('usr\_id'))) || strlen($user\->getValue('usr\_id')) === 0) { $gMessage\->show($gL10n\->get('SYS\_USER\_ID\_NOT\_FOUND')); // => EXIT }  
// besitzt der User eine gueltige E-Mail-Adresse // check if the member has a valid email address if (!StringUtils::strValidCharacters($user\->getValue('EMAIL'), 'email')) { $gMessage\->show($gL10n\->get('SYS\_USER\_NO\_EMAIL', array($user\->getValue('FIRST\_NAME').' '.$user\->getValue('LAST\_NAME')))); // => EXIT Expand Down

CVE-2023-3303: ecard could sent if album is logged #1432 · Admidio/admidio@3d8bafa

Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.

../ advisories/

Multiple command injection vulnerabilities are present in the RaspAP web interface. They allow an authenticated user to execute arbitrary OS commands with the privileges of the web server. Additional factors in the default configuration allow elevation to root privileges.

**Affected products**

RaspAP v2.8.9 and older

**Steps to reproduce**

1.  Obtain credentials for RaspAP
2.  Configure and execute the following script

3.  Observe that the file /tmp/hax has been created on the raspi, and contains the output of uptime.

**Cause**

There are two almost identical instances of the vulnerability, at hostapd.php:103 and hostapd.php:108. In both instances, an unsanitized POST variable is fed into a command executed using exec().

A third instance exists at configure\_client.php:20, exploitable in a similar manner.

**Impact**

An authenticated user is able to execute arbitrary commands as www-data.

In the default RaspAP configuration, this can be leveraged to gain root access by exploiting two of the configured sudo permissions; overwrite the openvpn client configuration to set the following:

    script-security 2
    up /tmp/payload.sh

and establish an OpenVPN connection. /tmp/payload.sh will be executed with root privileges.

**Proposed Mitigation**

Apply sanitization to the txpower and interface parameters, and use the PHP built-in escapeshellarg() before passing them to exec().

**History**

*   2023-03-30: Additional fix submitted
*   2023-03-30: Report merged for all three vulnerabilities
*   2023-03-29: Additional vulnerability reported (configure_client.php)
*   2023-03-29: Initial report removed
*   2023-03-29: Fix applied and released as v2.8.9
*   2023-03-28: Initial report filed (hostapd.php)

CVE-2023-30260: Security advisory

Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.

../ advisories/

A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.

**Affected products**

magnusbilling 7 up to and including commit 7af21ed620

magnusbilling 6 (all versions)

**Steps to reproduce**

The following proof of concept uses a harmless sleep 30 command as a payload.

1.  Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%2030;ls%20a
2.  Observe that the page takes 30 seconds to load
3.  Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%203;ls%20a
4.  Observe that the page takes only 3 seconds to load

**Cause**

A piece of demonstration code is present in lib/icepay/icepay.php, with a call to exec() at line 753. The parameter to exec() includes the GET parameter democ, which is controlled by the user.

**Impact**

An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data. At a minimum, this allows an attacker to compromise the billing system and its database.

**Proposed Mitigation**

Remove the demo code from icepay.php.

**History**

*   2023-03-28: Initial report removed by maintainer
*   2023-03-27: Vulnerability fixed
*   2023-03-27: Vulnerability reported

CVE-2023-30258: Security advisory

A vulnerability, which was classified as critical, was found in SourceCodester Game Result Matrix System 1.0. This affects an unknown part of the file /dipam/athlete-profile.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232239.

CVE-2023-3383

A vulnerability classified as problematic was found in SourceCodester Online School Fees System 1.0. Affected by this vulnerability is an unknown functionality of the file /paysystem/datatable.php of the component GET Parameter Handler. The manipulation of the argument doj leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-232237 was assigned to this vulnerability.

**Online School Fees System v1.0 has reflected cross-site scripting**

BUG\_Author: zhangyf

Website source code address: https://www.sourcecodester.com/php/11708/online-school-fees-system.html

Vulnerability File: /paysystem/datatable.php

GET parameter "doj" exists reflected cross-site scripting vulnerability

Payload: /paysystem/datatable.php?student=1&doj=<script>alert(document.cookie)</script>&type=feesearch

The js code is successfully executed and the cookie value is returned, which proves that there is a reflected cross-site scripting vulnerability.

CVE-2023-3381: CVEReport/XSS2.md at main · M9KJ-TEAM/CVEReport

A vulnerability, which was classified as problematic, has been found in SourceCodester Game Result Matrix System 1.0. Affected by this issue is some unknown functionality of the file /dipam/save-delegates.php of the component GET Parameter Handler. The manipulation of the argument del_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-232238 is the identifier assigned to this vulnerability.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-3382: CVEReport/XSS3.md at main · M9KJ-TEAM/CVEReport

Cross Site Scripting (XSS) vulnerability in Neox Contact Center 2.3.9, via the serach_sms_api_name parameter to the SMA API search.

Reflected Cross-Site Scripting in Neox Contact Center.

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Steps to Reproduce :-

1\. You need to login to Neox Contact Center as admin.

2\. Visit the path https://neox.target.com/admin/admin.php?ADD=1&mode=serach&search\_sms\_api\_name=Enter\_Your\_Payload\_here

3\. Payload "><script>alert(1)</script>

4\. The PAyload will get executed.

Thank you for your visit

CVE-2023-30347: CVE-2023-30347/poc.txt at main · huzefa2212/CVE-2023-30347

An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.

CVE-2023-27083

Fortra Globalscape EFT's administration server suffers from an information disclosure vulnerability where the serial number of the harddrive that Globalscape is installed on can be remotely determined via a "trial extension request" message


Tag

#php