BlueCMS v1.6 was discovered to contain a SQL injection vulnerability via the keywords parameter at search.php.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-33734: GitHub - Peanuts-s/BlueCms

Papaya Medical Viewer version 1.0 suffers from a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-33255

Link  
====

https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt

Further SCHUTZWERK advisories:  
https://www.schutzwerk.com/blog/tags/advisories/

Affected products/vendor  
========================

Papaya, Research Imaging Institute - University of Texas Health Science   
Center

Summary  
=======

User supplied input in the form of DICOM or NIFTI images can be loaded   
into the  
Papaya web application without any kind of sanitization. This allows to   
inject  
arbitrary JavaScript code into the image's metadata which will in   
consequence be  
executed as soon as the metadata is displayed in the Papaya web application.

Risk  
====

The vulnerability allows an attacker to inject arbitrary JavaScript code   
into  
the Papaya web application. A risk calculation highly depends on how the   
Papaya  
software is used as a library in the context of a bigger medical web  
application. During the discovery of this vulnerability, the web application  
which used Papaya allowed to upload and store corresponding images on   
the web  
server and display them to multiple users. It was therefore possible to   
store  
JavaScript code on the server and attack users to impersonate or steal their  
session, leading to a disclosure of sensitive medical data.

Description  
===========

A medical web application assessed for security vulnerabilities by   
SCHUTZWERK  
was found to contain a stored cross-site-scripting vulnerability. The  
application uses the Papaya JavaScript software[0] published by the Research  
Imaging Institute belonging to the University of Texas Health Science   
Center[1].

The software is described as "[..] a pure JavaScript medical research image  
viewer, supporting DICOM and NIFTI formats, compatible across a range of web  
browsers [..]". It can be used stand-alone or integrated into larger medical  
applications, has 192 forks and 488 stars on GitHub and was used in at   
least 50  
published academic research papers[2].

One of the main features is to open medical images of multiple formats,   
which  
can be achieved via the context menu "File - Add image...". Papaya then   
displays  
the image and adds a new icon in the upper right corner of the viewer.   
This icon  
allows to open another context menu to edit the previous opened image as   
a layer  
in multiple ways. The option of interest for the cross-site-scripting  
vulnerability is the "Show Header" entry, which allows getting further  
information about the medical image.

An example DICOM[3] zip archive was downloaded[4], extracted and opened in  
Papaya. The "Show Header" function shows multiple entries including private  
patient data fields like patient ID, name, date of birth and gender.

The DICOM ToolKit (DCMTK)[5] offers multiple tools to analyze, create   
and edit  
DICOM images. The metadata field "Manufacturer" of the previously downloaded  
DICOM image was edited with help of the DCMTK tool dcmodify:

DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m  
"Manufacturer=<script>alert(1)</script>" 2_skull_ct/DICOM/I0

The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:

dcmdump 2_skull_ct/DICOM/I0

[..]  
# Dicom-Data-Set  
[..] (0008,0070) LO [<script>alert(1)</script>]              #  26, 1   
Unknown  
Tag & Data [..]

Viewing the header information of the manipulated DICOM image in Papaya   
executes  
the injected JavaScript code in the web browser.

SCHUTZWERK decided to publish the still existing vulnerability (commit   
4a42701),  
since the vendor did not implement any remediation several months after new  
contributors have been introduced to the project.

Solution/Mitigation  
===================

Several mitigation recommendations have been sent to the vendor. These   
include  
common mitigation strategies from OWASP[6], like escaping user   
controlled input  
and the usage of popular JavaScript libraries like DomPurify[7].

As a quick workaround, the context menu, which allows showing header   
information  
can be disabled by setting the variable kioskMode to true.

Disclosure timeline  
===================

2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to  
             vendor  
2020-09-30: Contacted vendor again  
2020-09-30: Vendor responds and asks for mitigation ideas  
2020-10-01: Response to vendor with detailed information and mitigation   
ideas  
2020-11-09: Contacted vendor again for any status updates  
2022-08-30: Retest of the customer application including the Papaya web  
             application  
2022-09-21: Notified vendor of intention to publish advisory  
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will   
maintain the  
             project  
2023-04-19: Informed vendor about publication deadline on May 15, 2023  
2023-05-08: Vendor replied with intention to fix vulnerability until May   
15,2023  
2023-05-15: Vulnerability fixed by vendor  
2023-05-26: Advisory published by SCHUTZWERK

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lennert Preuth of  
SCHUTZWERK GmbH.

References  
==========

[0] https://github.com/rii-mango/Papaya  
[1] https://rii.uthscsa.edu/  
[2] http://mangoviewer.com/pubs.html  
[3] https://en.wikipedia.org/wiki/DICOM  
[4] https://medimodel.com/sample-dicom-files/human_skull_2_dicom_file/  
[5] https://dicom.offis.de/dcmtk.php.de  
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_  
     Prevention_Cheat_Sheet.html  
[7] https://github.com/cure53/DOMPurify

Disclaimer  
==========

The information in this security advisory is provided "as is" and without  
warranty of any kind. Details of this security advisory may be updated   
in order  
to provide as accurate information as possible. The most recent version   
of this  
security advisory can be found at SCHUTZWERK GmbH's website.  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP  
HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO  
oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP  
Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw  
ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE  
dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa  
upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4  
Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+  
tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l  
OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/  
eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp  
4bKAQKWvxQG8GpbKuQT4on0=  
=IEuk  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Papaya Medical Viewer 1.0 Cross Site Scripting

PrinterLogic build version 1.0.757 suffers from authentication bypass, cross site request forgery, cross site scripting, session fixation, insufficient checks, impersonation, remote SQL injection, and various other vulnerabilities.

PrinterLogic Build 1.0.757 XSS / SQL Injection / Authentication Bypass

Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.

In the module “Sales Booster” (salesbooster) from Webbax, a guest can download personnal informations without restriction.

**Summary**

*   **CVE ID**: CVE-2023-30196
*   **Published at**: 2023-05-22
*   **Platform**: PrestaShop
*   **Product**: salesbooster
*   **Impacted release**: <= 1.10.4 (1.10.5 fixed the vulnerability)
*   **Product author**: Webbax
*   **Weakness**: CWE-22
*   **Severity**: high (7.5)

**Description**

Due to predictible token and a lack of control in the path name’s construction, a guest can perform a path traversal to view all files on the information system.

Note : We are forced to tag it as a high gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: none
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**Possible malicious usage**

*   Stealing secrets to unlock admin controllers based on ajax script
*   Exfiltrate all modules with all versions to facilited pentesting
*   Stealing table\_prefix to greatly facilitate SQL injections for kiddies who don’t known how exploit DBMS design’s vulnerabilities or stealing database access to login in exposed PHPMyAdmin / Adminer / etc.
*   Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictible paths of banks’s modules inside /var/log/)

**Patch from 1.10.4**

    --- 1.10.4/modules/salesbooster/downloads/download.php
    +++ 1.10.5/modules/salesbooster/downloads/download.php
    ...
    -$file = Tools::getValue('file');
    +$file = basename(Tools::getValue('file')).'.txt';
    +if((strpos($file, './') === false) && substr($file,-4) == '.txt'){
    ...
    +}
    ...
    

**Other recommandations**

*   It’s recommended to upgrade to the latest version of the module **salesbooster**.
*   Update the configuration SALESBOOSTER\_TOKEN in your ps\_configuration table with a string not predictible - **be warned that the patch provided by author still suffer of a predictible security token mecanism.**
*   You should consider to restrict the access of modules/salesbooster/ to a whitelist
*   NEVER exposed a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
*   Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your Prestashop

**Timeline**

Date

Action

2023-02-25

Issue discovered during a code review by TouchWeb.fr

2023-02-25

Contact Author

2023-02-25

Request a CVE ID

2023-02-27

Author confirm alert’s read

2023-04-24

Received CVE ID

2023-05-02

Author publish a new version which fix the leak

2023-05-22

Publish this security advisory

**Links**

*   Author download page
*   Usefull Author advices - French
*   National Vulnerability Database

CVE-2023-30196: [CVE-2023-30196] Improper Limitation of a Pathname to a Restricted Directory in Webbax module : Sales Booster for PrestaShop

A vulnerability, which was classified as problematic, has been found in SourceCodester Students Online Internship Timesheet Syste 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_company. The manipulation of the argument name with the input <script>alert(document.cookie)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230204.

CVE-2023-2973

The Otter WordPress plugin before 2.2.6 does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP < 8.0 using the phar:// stream wrapper.

CVE-2023-2288

CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. This issue is patched in version 4.3.5.


This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders.

The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally.

Upgrade to v4.3.5 or later.

Setting validation rules with an array.

$validation\->setRules(\[
    'email' => \['required', 'valid\_email, 'is\_unique\[users.email,id,{id}\]'\],
\]);

CVE-2023-32692: Remote Code Execution Vulnerability in Validation Placeholders

A vulnerability classified as problematic was found in Bestwebsoft Relevant Plugin up to 1.0.7 on WordPress. Affected by this vulnerability is an unknown functionality of the component Thumbnail Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 1.0.8 is able to address this issue. The name of the patch is 860d1891025548cf0f5f97364c1f51a888f523c3. It is recommended to upgrade the affected component. The identifier VDB-230113 was assigned to this vulnerability.

@@ -1,7 +1,7 @@ <?php /\* \* Function for displaying BestWebSoft menu \* Version: 1.3.2 \* Version: 1.3.7 \*/  
if ( ! function\_exists( 'bws\_add\_menu\_render' ) ) { Expand Down Expand Up @@ -119,7 +119,7 @@ function bws\_add\_menu\_render() { ), 'google-one/google-plus-one.php' => array( 'name' => 'Google +1', 'description' => 'Allows you to celebrate liked the article.', 'description' => 'Allows you to see how many times your page has been liked on Google Search Engine as well as who has liked the article.', 'link' => 'http://bestwebsoft.com/plugin/google-plus-one/?k=ce7a88837f0a857b3a2bb142f470853c&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/google-plus-one/?k=ce7a88837f0a857b3a2bb142f470853c&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin-install.php?tab=search&type=term&s=Google+%2B1+bestwebsoft&plugin-search-input=Search+Plugins', Expand Down Expand Up @@ -248,9 +248,34 @@ function bws\_add\_menu\_render() { 'description' => 'Allows to change wordpress user role capabilities.', 'link' => 'http://bestwebsoft.com/plugin/user-role/?k=dfe2244835c6fbf601523964b3f34ccc&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/user-role/?k=dfe2244835c6fbf601523964b3f34ccc&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => 'http://bestwebsoft.com/plugin/user-role/?k=dfe2244835c6fbf601523964b3f34ccc&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin\-install.php?tab=search&s=User+Role+BestWebSoft&plugin-search-input=Search+Plugins', 'settings' => 'admin.php?page=user-role.php', 'pro\_version' => 'user-role-pro/user-role-pro.php' ), 'email-queue/email-queue.php' => array( 'name' => 'Email Queue', 'description' => 'Allows to manage email massages sent by BestWebSoft plugins.', 'link' => 'http://bestwebsoft.com/plugin/email-queue/?k=e345e1b6623f0dca119bc2d9433b130b&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/email-queue/?k=e345e1b6623f0dca119bc2d9433b130b&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin-install.php?tab=search&s=Email+Queue+BestWebSoft&plugin-search-input=Search+Plugins', 'settings' => 'admin.php?page=mlq\_settings' ), 'limit-attempts/limit-attempts.php' => array( 'name' => 'Limit Attempts', 'description' => 'Allows you to limit rate of login attempts by the ip, and create whitelist and blacklist.', 'link' => 'http://bestwebsoft.com/plugin/limit-attempts/?k=b14e1697ee4d008abcd4bd34d492573a&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/limit-attempts/?k=b14e1697ee4d008abcd4bd34d492573a&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin-install.php?tab=search&s=Limit+Attempts+BestWebSoft&plugin-search-input=Search+Plugins', 'settings' => 'admin.php?page=limit-attempts.php', 'pro\_version' => 'limit-attempts-pro/limit-attempts-pro.php' ), 'job-board/job-board.php' => array( 'name' => 'Job board', 'description' => 'Allows to create a job-board page on your site.', 'link' => 'http://bestwebsoft.com/plugin/job-board/?k=b0c504c9ce6edd6692e04222af3fed6f&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'download' => 'http://bestwebsoft.com/plugin/job-board/?k=b0c504c9ce6edd6692e04222af3fed6f&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#download', 'wp\_install' => '/wp-admin/plugin-install.php?tab=search&type=term&s=Job+board+BestWebSoft&plugin-search-input=Search+Plugins', 'settings' => 'admin.php?page=job-board.php' ) ); $bws\_plugins\_pro = array( Expand Down Expand Up @@ -305,7 +330,7 @@ function bws\_add\_menu\_render() { ), 'google-one-pro/google-plus-one-pro.php' => array( 'name' => 'Google +1 Pro', 'description' => 'Allows you to celebrate liked the article.', 'description' => 'Allows you to see how many times your page has been liked on Google Search Engine as well as who has liked the article.', 'link' => 'http://bestwebsoft.com/plugin/google-plus-one-pro/?k=f4b0a62d155c9df9601a0531ad5bd832&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'purchase' => 'http://bestwebsoft.com/plugin/google-plus-one-pro?k=f4b0a62d155c9df9601a0531ad5bd832&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#purchase', 'settings' => 'admin.php?page=google-plus-one-pro.php' Expand Down Expand Up @@ -351,6 +376,13 @@ function bws\_add\_menu\_render() { 'link' => 'http://bestwebsoft.com/plugin/sender-pro/?k=dc5d1a87bdc8aeab2de40ffb99b38054&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'purchase' => 'http://bestwebsoft.com/plugin/sender-pro/?k=dc5d1a87bdc8aeab2de40ffb99b38054&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#purchase', 'settings' => 'admin.php?page=sndrpr\_settings' ), 'limit-attempts-pro/limit-attempts-pro.php' => array( 'name' => 'Limit Attempts Pro', 'description' => 'Allows you to limit rate of login attempts by the ip, and create whitelist and blacklist.', 'link' => 'http://bestwebsoft.com/plugin/limit-attempts-pro/?k=9d42cdf22c7fce2c4b6b447e6a2856e0&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version, 'purchase' => 'http://bestwebsoft.com/plugin/limit-attempts-pro/?k=9d42cdf22c7fce2c4b6b447e6a2856e0&pn=' . $bws\_plugin\_info\["id"\] . '&v=' . $bws\_plugin\_info\["version"\] . '&wp\_v=' . $wp\_version . '#purchase', 'settings' => 'admin.php?page=limit-attempts-pro.php', ) );  
Expand Down Expand Up @@ -483,8 +515,8 @@ function bws\_add\_menu\_render() { if ( ( isset( $\_REQUEST\['bwsmn\_form\_submit'\] ) && check\_admin\_referer( plugin\_basename(\_\_FILE\_\_), 'bwsmn\_nonce\_submit' ) ) || ( isset( $\_REQUEST\['bwsmn\_form\_submit\_custom\_email'\] ) && check\_admin\_referer( plugin\_basename(\_\_FILE\_\_), 'bwsmn\_nonce\_submit\_custom\_email' ) ) ) { if ( isset( $\_REQUEST\['bwsmn\_form\_email'\] ) ) { $bwsmn\_form\_email = trim( $\_REQUEST\['bwsmn\_form\_email'\] ); if ( $bwsmn\_form\_email == "" || !preg\_match( "/^((?:\[a-z0-9'\]+(?:\[a-z0-9\\-\_\\.'\]+)?@\[a-z0-9\]+(?:\[a-z0-9\\-\\.\]+)?\\.\[a-z\]{2,5})\[, \]\*)+$/i", $bwsmn\_form\_email ) ) { $bwsmn\_form\_email = esc\_html( trim( $\_REQUEST\['bwsmn\_form\_email'\] ) ); if ( $bwsmn\_form\_email == "" || ! is\_email( $bwsmn\_form\_email ) ) { $error = \_\_( "Please enter a valid email address.", 'bestwebsoft' ); } else { $email = $bwsmn\_form\_email; Expand All @@ -506,19 +538,24 @@ function bws\_add\_menu\_render() { foreach ( $system\_info\['system\_info'\] as $key => $value ) { $message\_text .= '<tr><td>'. $key .'</td><td>'. $value .'</td></tr>'; } $message\_text .= '</table> <h4>Active Plugins</h4> <table>'; foreach ( $system\_info\['active\_plugins'\] as $key => $value ) { $message\_text .= '<tr><td scope="row">'. $key .'</td><td scope="row">'. $value .'</td></tr>'; $message\_text .= '</table>'; if ( ! empty( $system\_info\['active\_plugins'\] ) ) { $message\_text .= '<h4>Active Plugins</h4> <table>'; foreach ( $system\_info\['active\_plugins'\] as $key => $value ) { $message\_text .= '<tr><td scope="row">'. $key .'</td><td scope="row">'. $value .'</td></tr>'; } $message\_text .= '</table>'; } $message\_text .= '</table> <h4>Inactive Plugins</h4> <table>'; foreach ( $system\_info\['inactive\_plugins'\] as $key => $value ) { $message\_text .= '<tr><td scope="row">'. $key .'</td><td scope="row">'. $value .'</td></tr>'; if ( ! empty( $system\_info\['inactive\_plugins'\] ) ) { $message\_text .= '<h4>Inactive Plugins</h4> <table>'; foreach ( $system\_info\['inactive\_plugins'\] as $key => $value ) { $message\_text .= '<tr><td scope="row">'. $key .'</td><td scope="row">'. $value .'</td></tr>'; } $message\_text .= '</table>'; } $message\_text .= '</table></body></html>'; $message\_text .= '</body></html>'; $result = wp\_mail( $email, 'System Info From ' . $home\_url, $message\_text, $headers ); if ( $result != true ) $error = \_\_( "Sorry, email message could not be delivered.", 'bestwebsoft' ); Expand Down Expand Up @@ -578,8 +615,10 @@ function bws\_add\_menu\_render() { </div\> <div class\="bws\_product\_links"\> <a href\="<?php echo $bws\_plugins\_pro\[ $key\_plugin \]\["link"\]; ?>" target\="\_blank"\><?php \_e( "Learn more", 'bestwebsoft' ); ?></a\> <span\> | </span\> <a href\="<?php echo $bws\_plugins\_pro\[ $key\_plugin \]\["settings"\]; ?>" target\="\_blank"\><?php \_e( "Settings", 'bestwebsoft' ); ?></a\> <?php if ( '' != $bws\_plugins\_pro\[ $key\_plugin \]\["settings"\] ) { ?> <span\> | </span\> <a href\="<?php echo $bws\_plugins\_pro\[ $key\_plugin \]\["settings"\]; ?>" target\="\_blank"\><?php \_e( "Settings", 'bestwebsoft' ); ?></a\> <?php } ?> </div\> </div\> <?php } elseif ( isset( $bws\_plugins\[ $key\_plugin \] ) ) { ?> Expand All @@ -605,8 +644,10 @@ function bws\_add\_menu\_render() { </div\> <div class\="bws\_product\_links"\> <a href\="<?php echo $bws\_plugins\[ $key\_plugin \]\["link"\]; ?>" target\="\_blank"\><?php \_e( "Learn more", 'bestwebsoft' ); ?></a\> <span\> | </span\> <a href\="<?php echo $bws\_plugins\[ $key\_plugin \]\["settings"\]; ?>" target\="\_blank"\><?php \_e( "Settings", 'bestwebsoft' ); ?></a\> <?php if ( '' != $bws\_plugins\[ $key\_plugin \]\["settings"\] ) { ?> <span\> | </span\> <a href\="<?php echo $bws\_plugins\[ $key\_plugin \]\["settings"\]; ?>" target\="\_blank"\><?php \_e( "Settings", 'bestwebsoft' ); ?></a\> <?php } ?> </div\> </div\> <?php } Expand Down Expand Up @@ -862,12 +903,14 @@ function bws\_add\_menu\_render() { <table class\="bws\_system\_info"\> <thead\><tr\><th\><?php \_e( 'Active Plugins', 'bestwebsoft' ); ?></th\><th\></th\></tr\></thead\> <tbody\> <?php foreach ( $system\_info\['active\_plugins'\] as $key => $value ) { ?> <tr\> <td scope\="row"\><?php echo $key; ?></td\> <td scope\="row"\><?php echo $value; ?></td\> </tr\> <?php } ?> <?php if ( ! empty( $system\_info\['active\_plugins'\] ) ) { foreach ( $system\_info\['active\_plugins'\] as $key => $value ) { ?> <tr\> <td scope\="row"\><?php echo $key; ?></td\> <td scope\="row"\><?php echo $value; ?></td\> </tr\> <?php } } ?> </tbody\> </table\> <table class\="bws\_system\_info"\> Expand Down

CVE-2014-125102: V1.0.8 - Security Exploit was fixed. Ability to show posts thumbnails. · wp-plugins/relevant@860d189

Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

**Dolibarr vulnerable to remote code execution via uppercase manipulation**

Moderate severity GitHub Reviewed Published May 29, 2023 to the GitHub Advisory Database • Updated May 30, 2023

GHSA-9wqr-5jp4-mjmh: Dolibarr vulnerable to remote code execution via uppercase manipulation

**Swascan Offensive Security Team** has identified a vulnerability on **Dolibarr 17.0.0**. The vulnerability can be tracked with id **CVE-2023-30253**.

The vulnerability has been fixed in **Dolibarr 17.0.1**.

**Product description**

Dolibarr ERP & CRM is a modular software of business management which adapts to the size of the company (SME, Large companies, Frelancers or associations).

**Technical summary**

Swascan’s Offensive Security Team found an important vulnerability on: **17.0.0**

**Vulnerability**

**Tested Vesions**

**CVSSv3.1**            

**CWE-ID**

Authenticated Remote Command Execution

17.0.0

**8.8** High \[AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\]

CWE-77

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.

**Description**

In Dolibarr 17.0.0 with the CMS Website plugin (core) enabled, an authenticated attacker can obtain remote command execution via php code injection bypassing the application restrictions.

**Proof of Concept**

The following POC shows how to run system commands and the test conditions.

The core plugin CMS Websites is enabled and there is a test user with the following authorizations.

**Figure 1 – test user permissions**

Actually, the test user can’t modify the website with php code (dynamic php code disabled).

**Figure 2 – evidence of the error with php code**

As the Figure 1 shows, the PHP code is flagged as disabled, anyway it’s still possible to inject PHP code as Test user, by tipying “<?**PHP** code…?>” instead of “<?php code..?>”.

The check upon the tag “<?php” can be bypassed by typing it with any character in uppercase (Php, pHp, pHP, PHP).

**Figure 3 – check bypass**

**Figure 4 – php code injected**

The php code has been injected and the page shows the result “4”.

Furthermore, the PHP tag (upper case) also bypass the check on the forbidden php functions in **core/lib/website2.lib.php**.

**Figure 5 – file /usr/share/dolibarr/htdocs/core/lib/website2.lib.php**

**Figure 6 – php code for RCE**

<?PHP echo system(“whoami”).”<br><br>”.system(“pwd”).”<br><br>”.system(“ip a”);?>

**Figure 7 – Remote Command Execution**

In conclusion, with a low privileged user who has access to the websites plugin and **without** the php code permission, it’s poissble to execute command on the remote machine.

**Impact**

An authenticated attacker could obtain access to the remote system and execute arbitrary commands.

**Remediation**

Download latest Dolibarr release from https://www.dolibarr.org/

**References**

*   https://github.com/Dolibarr/dolibarr
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30253
*   https://owasp.org/www-community/attacks/Command\_Injection
*   https://cheatsheetseries.owasp.org/cheatsheets/OS\_Command\_Injection\_Defense\_Cheat\_Sheet.html
*   https://github.com/Dolibarr/dolibarr/releases/tag/17.0.1

****Disclosure Timeline****

*   10-03-2023: Vulnerabilities discovered
*   15-03-2023: Vendor contacted by email
*   22-03-2023: Second attempt by email
*   27-03-2023: Vendor confirmed the vulnerability has been fixed
*   16-05-2023: Vendor release Dolibarr v17.0.1

Tag

#php