Warpinator before 1.6.0 allows remote file deletion via directory traversal in top_dir_basenames.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 26 Apr 2023 11:54:38 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Warpinator: Remote file deletion vulnerability (CVE-2023-29380)

Hi list,

this report is about a remote file deletion vulnerability in Warpinator
\[1\].

Introduction
============

I already reviewed and found issues in Warpinator a while ago \[2\]. The
openSUSE packager for Warpinator asked me for a follow-up review after
updating to upstream release 1.4.3 which contained the fixes for
CVE-2022-42725.

In the course of the review I found another vulnerability which is
described in detail in the next section.

The Vulnerability
=================

In the code base of version 1.4.3 the sender of a file also sends a list
of \`top\_dir\_basenames\` to the peer. While there is now a verification of
the \`relative\_path\` on the receiving side, the \`top\_dir\_basenames\` are
not verified at all. In \`FileReceiver.\_\_init\_\_()\` the following code is
found:

\`\`\`
    for name in op.top\_dir\_basenames:
        try:
            path = os.path.join(self.save\_path, name)
            if os.path.isdir(path): # file not found is ok
                shutil.rmtree(path)
            else:
                os.remove(path)
        except FileNotFoundError:
            pass
        except Exception as e:
            logging.warning("Problem removing existing files.  Transfer may not succeed: %s" % e)
\`\`\`

If the sender is passing a string like "../" as part of
\`top\_dir\_basenames\` then this code will delete the complete parent
directory of the download directory (by default ~/Warpinator) and thus
the complete home directory of the receiving party. Any other files
under control of the receiving party are similarly endangered by this
remote DoS / integrity attack.

This can happen automatically if the receiving side is running
Warpinator in trusted mode, both parties share the same non-default
group key and unconfirmed file overwrites are allowed. If this is not
the case then the receiving side will see a confirmation popup like

    X wants to send \`../´

This message might not be very suspecting for an average end user. Other
strings can be used here as well like an absolute path to the user's
home directory, which could be interpreted as correct, or overlooked.

I investigated whether the fact that this allows to delete the download
directory completely could lead to a follow-up vulnerability to allow
overwriting files in other paths again. This seems not to be possible
though.  The check of the \`relative\_path()\` is stable enough to prevent
this even if the download directory does not exist at all.

Affectedness
============

The problematic handling of \`top\_dir\_basenames\` was first introduced in
upstream version 1.0.7.

Bugfixes
========

The remote file deletion vulnerability has been fixed upstream via
commit 9aae768 \[3\].

The fact that this vulnerability escaped both upstream's and my own
review efforts during handling of CVE-2022-4272 confirmed earlier
concerns I had about relying on a single line of defense in the
Warpinator codebase. I recommended to upstream to use an isolation
technique like Linux mount namespaces to prevent escapes from the
destined download directory. In the light of this new security issue I
additionally or alternatively recommended a redesign of the codebase to
better separate trusted and untrusted codepaths.

Upstream used the 90 days embargo time we offered to implement isolation
mechanisms either based on Linux namespaces through the Bubblewrap tool,
or based on the Linux kernel's landlock security module. Only if none of
both can be established, Warpinator will run in a legacy mode. In
this case the user will be warned about the weakened security.

The new Warpinator major version release 1.6.0 contains both the bugfix
for this the remote file deletion issue as well as the added security
layers.

Timeline
========

2023-01-25: I reported the newly found issue to upstream and offered
            coordinated disclosure.
2023-03-08: Upstream shared the core changes listed above with us, I
            reviewed them and gave feedback.
2023-04-05: I received CVE-2023-29380 from Mitre to track the file
            deletion issue and shared it with upstream.
2023-04-25: Upstream needed additional time for testing and integration.
            The 90 days maximum embargo period we offer ends and with
	    the 1.6.0 release being available we agreed on the
	    publication of all available information.

References
==========

\[1\]: https://github.com/linuxmint/warpinator
\[2\]: https://seclists.org/oss-sec/2022/q4/38
\[3\]: https://github.com/linuxmint/warpinator/commit/9aae768522b7bbb09c836419893802a02221d663

Best Regards

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (834 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-29380: security - Warpinator: Remote file deletion vulnerability (CVE-2023-29380)

A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file modules/reports/models/scheduled_reports.php. The manipulation leads to sql injection. Upgrading to version 2021.11.30 is able to address this issue. The name of the patch is 6da9080faec9bca1ca5342386c0421dca0a6c0cc. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230084.

CVE-2021-4336

A vulnerability classified as critical was found in mback2k mh_httpbl Extension up to 1.1.7 on TYPO3. This vulnerability affects the function moduleContent of the file mod1/index.php. The manipulation leads to sql injection. The attack can be initiated remotely. Upgrading to version 1.1.8 is able to address this issue. The name of the patch is 429f50f4e4795b20dae06735b41fb94f010722bf. It is recommended to upgrade the affected component. VDB-230086 is the identifier assigned to this vulnerability.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this user All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

mback2k / **mh\_httpbl** Public

*   Notifications
*   Fork 1
*   Star 0
    

*   Code
*   Issues
*   Pull requests 1
*   Actions
*   Projects
*   Security
*   Insights

More

Releases Tags

*   mh\_httpbl\_1.1.8\_security
*   ecafb11
*   Unverified
    
    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    
    Learn about vigilant mode.
    
*   Compare
    
    Choose a tag to compare
    

mh\_httpbl\_1.1.8\_security: TYPO3 Security Team: Security Fix PLEASE UPDATE

*   mh\_httpbl\_1.1.8\_security
*   ecafb11
*   Compare
    
    Choose a tag to compare
    
*   Unverified
    
    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    
    Learn about vigilant mode.
    

 mback2k tagged this

01 Jun 22:36

See: https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-016/ for details ~nc

Assets 2

*   Source code (zip)
    
    2016-06-01T22:36:37Z
    
*   Source code (tar.gz)
    
    2016-06-01T22:36:37Z

CVE-2015-10106: Release mh_httpbl_1.1.8_security: TYPO3 Security Team: Security Fix PLEASE UPDATE · mback2k/mh_httpbl

A vulnerability classified as critical has been found in code-projects Bus Dispatch and Information System 1.0. Affected is an unknown function of the file delete_bus.php. The manipulation of the argument busid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230112.

CVE-2023-2951

Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up

@@ -55,7 +55,7 @@ function add\_template(){

url: "ajax\_code.php",

dataType: "html",

data: {

list\_id: <?php echo htmlspecialchars($list\_id, ENT\_QUOTES);?>,

list\_id: <?php echo js\_escape($list\_id); ?>,

multi: val,

source: "save\_provider"

},

Expand All

@@ -71,7 +71,7 @@ function add\_template(){

return;

}

else{

alert("<?php echo addslashes(xl('You should select at least one Provider'));?>");

alert(<?php echo xlj('You should select at least one Provider');?>);

}

  

}

Expand All

@@ -97,13 +97,13 @@ function add\_template(){

$sel = '';

}

}

echo "<option value='" . htmlspecialchars($row\['id'\], ENT\_QUOTES) . "' $sel\>" . htmlspecialchars($row\['lname'\] . "," . $row\['fname'\], ENT\_QUOTES) . "</option>";

echo "<option value='" . attr($row\['id'\]) . "' $sel\>" . text($row\['lname'\] . "," . $row\['fname'\]) . "</option>";

}

?>

</select\>

</td\>

<td\>

<a href\="#" onclick\="add\_template()" class\="btn btn-primary"\><span\><?php echo htmlspecialchars(xl('Save'), ENT\_QUOTES);?></span\></a\>

<a href\="#" onclick\="add\_template()" class\="btn btn-primary"\><span\><?php echo xlt('Save');?></span\></a\>

</td\>

</tr\>

</table\>

Expand Down

CVE-2023-2948: fixes: couple more misc fixes (#6336) · openemr/openemr@af1ecf7

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up @@ -120,13 +120,13 @@ function sqlQuery($statement, $link) } }  
echo " <td>$sfname</td>\\n"; echo " <td>$dbase</td>\\n"; echo " <td>" . htmlspecialchars($sfname, ENT\_NOQUOTES) . "</td>\\n"; echo " <td>" . htmlspecialchars($dbase, ENT\_NOQUOTES) . "</td>\\n";  
if (!$config) { echo " <td colspan='3'><a href='setup.php?site=$sfname' class='text-decoration-none'>Needs setup, click here to run it</a></td>\\n"; echo " <td colspan='3'><a href='setup.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Needs setup, click here to run it</a></td>\\n"; } elseif ($errmsg) { echo " <td colspan='3' class='text-danger'>$errmsg</td>\\n"; echo " <td colspan='3' class='text-danger'>" . htmlspecialchars($errmsg, ENT\_NOQUOTES) . "</td>\\n"; } else { // Get site name for display. $row = sqlQuery("SELECT gl\_value FROM globals WHERE gl\_name = 'openemr\_name' LIMIT 1", $dbh); Expand All @@ -152,20 +152,20 @@ function sqlQuery($statement, $link) }  
// Display relevant columns. echo " <td>$openemr\_name</td>\\n"; echo " <td>$openemr\_version</td>\\n"; echo " <td>" . htmlspecialchars($openemr\_name, ENT\_NOQUOTES) . "</td>\\n"; echo " <td>" . htmlspecialchars($openemr\_version, ENT\_NOQUOTES) . "</td>\\n"; if ($v\_database != $database\_version) { echo " <td><a href='sql\_upgrade.php?site=$sfname' class='text-decoration-none'>Upgrade Database</a></td>\\n"; echo " <td><a href='sql\_upgrade.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Upgrade Database</a></td>\\n"; } elseif (($v\_acl > $database\_acl)) { echo " <td><a href='acl\_upgrade.php?site=$sfname' class='text-decoration-none'>Upgrade Access Controls</a></td>\\n"; echo " <td><a href='acl\_upgrade.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Upgrade Access Controls</a></td>\\n"; } elseif (($v\_realpatch != $database\_patch)) { echo " <td><a href='sql\_patch.php?site=$sfname' class='text-decoration-none'>Patch Database</a></td>\\n"; echo " <td><a href='sql\_patch.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Patch Database</a></td>\\n"; } else { echo " <td><i class='fa fa-check fa-lg text-success' aria-hidden='true' ></i></a></td>\\n"; } if (($v\_database == $database\_version) && ($v\_acl <= $database\_acl) && ($v\_realpatch == $database\_patch)) { echo " <td><a href='interface/login/login.php?site=$sfname' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site $sfname'></i></a></td>\\n"; echo " <td><a href='portal/index.php?site=$sfname' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site $sfname'></i></a></td>\\n"; echo " <td><a href='interface/login/login.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site " . htmlspecialchars($sfname, ENT\_QUOTES) . "'></i></a></td>\\n"; echo " <td><a href='portal/index.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site " . htmlspecialchars($sfname, ENT\_QUOTES) . "'></i></a></td>\\n"; } else { echo " <td><i class='fa fa-ban fa-lg text-secondary' aria-hidden='true'></i></td>\\n"; echo " <td><i class='fa fa-ban fa-lg text-secondary' aria-hidden='true'></i></td>\\n"; Expand Down

CVE-2023-2947: fix: bug fix (#6296) · openemr/openemr@8d2d601

 Code Injection in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up @@ -43,7 +43,7 @@ require\_once("$srcdir/forms.inc.php"); require\_once("$srcdir/appointments.inc.php");  
use OpenEMR\\Core\\Header; use OpenEMR\\Services\\AppointmentService;  
// Things that might be passed by our opener. // Expand All @@ -64,6 +64,24 @@ exit(); }  
if (!empty($\_POST\['form\_pid'\])) { if ($\_POST\['form\_pid'\] != $\_SESSION\['pid'\]) { echo js\_escape("error"); exit(); }  
if (! getAvailableSlots($\_POST\['form\_date'\], date('Y-m-d', strtotime("+1 year " . $\_POST\['form\_date'\])), $\_POST\['form\_provider\_ae'\])) { echo js\_escape("error"); exit(); }  
$appointment\_service = (new AppointmentService())->getOneCalendarCategory($\_POST\['form\_category'\]); if (($\_POST\['form\_duration'\] \* 60) != ($appointment\_service\[0\]\['pc\_duration'\])) { echo js\_escape("error"); exit(); } }  
if ($date) { $date = substr($date, 0, 4) . '-' . substr($date, 4, 2) . '-' . substr($date, 6); } else { Expand Down Expand Up @@ -135,7 +153,7 @@ $event\_date = fixDate($\_POST\['form\_date'\]);  
// Compute start and end time strings to be saved. if ($\_POST\['form\_allday'\]) { if ($\_POST\['form\_allday'\] ?? null) { $tmph = 0; $tmpm = 0; $duration = 24 \* 60; Expand Down Expand Up @@ -165,7 +183,7 @@  
// More garbage, but this time 1 character of it is used to save the // repeat type. if ($\_POST\['form\_repeat'\]) { if ($\_POST\['form\_repeat'\] ?? null) { $recurrspec = 'a:5:{' . 's:17:"event\_repeat\_freq";s:1:"' . $\_POST\['form\_repeat\_freq'\] . '";' . 's:22:"event\_repeat\_freq\_type";s:1:"' . $\_POST\['form\_repeat\_type'\] . '";' . Expand All @@ -185,7 +203,7 @@ //for example monday, or thursday. We set the start date on the first day of the week //that the event is scheduled. For example if you set the event to repeat on each monday //the start date of the event will be set on the first monday after the day the event is scheduled if ($\_POST\['form\_repeat\_type'\] == 5) { if (($\_POST\['form\_repeat\_type'\] ?? null) == 5) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Tue") { Expand All @@ -201,7 +219,7 @@ } elseif ($edate == "Sun") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 6) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 6) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Wed") { Expand All @@ -217,7 +235,7 @@ } elseif ($edate == "Mon") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 7) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 7) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Thu") { Expand All @@ -233,7 +251,7 @@ } elseif ($edate == "Tue") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 8) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 8) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Fri") { Expand All @@ -249,7 +267,7 @@ } elseif ($edate == "Wed") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 9) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 9) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Sat") { Expand Down Expand Up @@ -305,7 +323,7 @@ "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($row\['pc\_multiple'\]) . "', " . "'" . add\_escape\_custom($to\_be\_inserted) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand All @@ -332,7 +350,7 @@ foreach ($\_POST\['form\_provider\_ae'\] as $provider) { sqlStatement("UPDATE openemr\_postcalendar\_events SET " . "pc\_catid = '" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "pc\_title = '" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "pc\_time = NOW(), " . "pc\_hometext = '" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand Down Expand Up @@ -365,22 +383,22 @@ sqlStatement("UPDATE openemr\_postcalendar\_events SET " . "pc\_catid = '" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "pc\_aid = '" . add\_escape\_custom($prov) . "', " . "pc\_pid = '" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "pc\_title = '" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "pc\_time = NOW(), " . "pc\_hometext = '" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . "pc\_informant = '" . add\_escape\_custom($\_SESSION\['providerId'\]) . "', " . "pc\_eventDate = '" . add\_escape\_custom($event\_date) . "', " . "pc\_endDate = '" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\])) . "', " . "pc\_endDate = '" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\] ?? '')) . "', " . "pc\_duration = '" . add\_escape\_custom(($duration \* 60)) . "', " . "pc\_recurrtype = '" . ($\_POST\['form\_repeat'\] ? '1' : '0') . "', " . "pc\_recurrtype = '" . (($\_POST\['form\_repeat'\] ?? null) ? '1' : '0') . "', " . "pc\_recurrspec = '" . add\_escape\_custom($recurrspec) . "', " . "pc\_startTime = '" . add\_escape\_custom($starttime) . "', " . "pc\_endTime = '" . add\_escape\_custom($endtime) . "', " . "pc\_alldayevent = '" . add\_escape\_custom($\_POST\['form\_allday'\]) . "', " . "pc\_alldayevent = '" . add\_escape\_custom(($\_POST\['form\_allday'\] ?? '')) . "', " . "pc\_apptstatus = '" . add\_escape\_custom($\_POST\['form\_apptstatus'\]) . "', " . "pc\_prefcatid = '" . add\_escape\_custom($\_POST\['form\_prefcat'\]) . "', " . "pc\_facility = '" . (int)$\_POST\['facility'\] . "' " . // FF stuff "pc\_prefcatid = '" . add\_escape\_custom(($\_POST\['form\_prefcat'\] ?? '')) . "', " . "pc\_facility = '" . (int)($\_POST\['facility'\] ?? null) . "' " . // FF stuff "WHERE pc\_eid = '" . add\_escape\_custom($eid) . "'"); }  
Expand Down Expand Up @@ -416,7 +434,7 @@ "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($new\_multiple\_value) . "', " . "'" . add\_escape\_custom($provider) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand Down Expand Up @@ -446,24 +464,24 @@ ") VALUES ( " . "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_provider\_ae'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['providerId'\]) . "', " . "'" . add\_escape\_custom($event\_date) . "', " . "'" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\])) . "', " . "'" . add\_escape\_custom(fixDate(($\_POST\['form\_enddate'\] ?? ''))) . "', " . "'" . add\_escape\_custom(($duration \* 60)) . "', " . "'" . ($\_POST\['form\_repeat'\] ? '1' : '0') . "', " . "'" . (($\_POST\['form\_repeat'\] ?? null) ? '1' : '0') . "', " . "'" . add\_escape\_custom($recurrspec) . "', " . "'" . add\_escape\_custom($starttime) . "', " . "'" . add\_escape\_custom($endtime) . "', " . "'" . add\_escape\_custom($\_POST\['form\_allday'\]) . "', " . "'" . add\_escape\_custom(($\_POST\['form\_allday'\] ?? '')) . "', " . "'" . add\_escape\_custom($\_POST\['form\_apptstatus'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_prefcat'\]) . "', " . "'" . add\_escape\_custom(($\_POST\['form\_prefcat'\] ?? null)) . "', " . "'" . add\_escape\_custom($locationspec) . "', " . "1, " . "1, " . (int)$\_POST\['facility'\] . ")"); // FF stuff "1, " . (int)($\_POST\['facility'\] ?? null) . ")"); // FF stuff } // INSERT single } // else - insert } elseif (($\_POST\['form\_action'\] ?? null) == "delete") { Expand Down Expand Up @@ -496,7 +514,7 @@ $note .= ". " . xl("Use Portal Dashboard to confirm with patient."); $title = xl("Patient Reminders"); $user = sqlQueryNoLog("SELECT users.username FROM users WHERE authorized = 1 And id = ?", array($\_POST\['form\_provider\_ae'\])); $rtn = addPnote($\_POST\['form\_pid'\], $note, 1, 1, $title, $user\['username'\], '', 'New'); $rtn = addPnote($\_SESSION\['pid'\], $note, 1, 1, $title, $user\['username'\], '', 'New');  
$\_SESSION\['whereto'\] = '#appointmentcard'; header('Location:./home.php'); Expand Down Expand Up @@ -657,12 +675,12 @@ <form method\='post' name\='theaddform' id\='theaddform' action\='add\_edit\_event\_user.php?eid=<?php echo attr\_url($eid); ?>'\> <div class\="col-12"\> <input type\="hidden" name\="form\_action" id\="form\_action" value\="" /> <input type\='hidden' name\='form\_title' id\='form\_title' value\='<?php echo $row\['pc\_catid'\] ? attr($row\['pc\_title'\]) : xla("Office Visit"); ?>' /> <input type\='hidden' name\='form\_apptstatus' id\='form\_apptstatus' value\='<?php echo $row\['pc\_apptstatus'\] ? attr($row\['pc\_apptstatus'\]) : "^" ?>' /> <input type\='hidden' name\='form\_title' id\='form\_title' value\='<?php echo ($row\['pc\_catid'\] ?? '') ? attr($row\['pc\_title'\]) : xla("Office Visit"); ?>' /> <input type\='hidden' name\='form\_apptstatus' id\='form\_apptstatus' value\='<?php echo ($row\['pc\_apptstatus'\] ?? '') ? attr($row\['pc\_apptstatus'\] ?? '') : "^" ?>' /> <div class\="row form-group"\> <div class\="input-group col-12 col-md-6"\> <label class\="mr-2" for\="form\_category"\><?php echo xlt('Visit'); ?>:</label\> <select class\="form-control mb-1" onchange\='set\_category()' id\='form\_category' name\='form\_category' value\='<?php echo ($row\['pc\_catid'\] > "") ? attr($row\['pc\_catid'\]) : '5'; ?>'\> <select class\="form-control mb-1" onchange\='set\_category()' id\='form\_category' name\='form\_category' value\='<?php echo (($row\['pc\_catid'\] ?? '') > "") ? attr($row\['pc\_catid'\]) : '5'; ?>'\> <?php echo $catoptions ?> </select\> </div\> Expand All @@ -684,7 +702,7 @@ </div\> <div class\="input-group"\> <label class\="mr-2" for\="form\_duration"\><?php echo xlt('Duration'); ?></label\> <input class\="form-control" type\='text' size\='1' id\='form\_duration' name\='form\_duration' value\='<?php echo $row\['pc\_duration'\] ? ($row\['pc\_duration'\] \* 1 / 60) : attr($thisduration) ?>' readonly /> <input class\="form-control" type\='text' size\='1' id\='form\_duration' name\='form\_duration' value\='<?php echo ($row\['pc\_duration'\] ?? '') ? ($row\['pc\_duration'\] \* 1 / 60) : attr($thisduration) ?>' readonly /> <span class\="input-group-append"\> <span class\="input-group-text"\><?php echo "&nbsp;" . xlt('minutes'); ?></span\> </span\> Expand Down Expand Up @@ -730,7 +748,7 @@ </div\> </div\> <div class\="row input-group my-1"\> <?php if ($\_GET\['eid'\] && $row\['pc\_apptstatus'\] !== 'x') { ?> <?php if (($\_GET\['eid'\] ?? null) && $row\['pc\_apptstatus'\] !== 'x') { ?> <input type\='button' id\='form\_cancel' class\='btn btn-danger' onsubmit\='return false' value\='<?php echo xla('Cancel Appointment'); ?>' onclick\="cancel\_appointment()" /> <?php } ?> <input type\='button' name\='form\_save' class\='btn btn-success' onsubmit\='return false' value\='<?php echo xla('Save'); ?>' onclick\="validate()" /> Expand Down

CVE-2023-2943: bug fix (#6079) · openemr/openemr@c1c0805

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up

@@ -17,8 +17,14 @@

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('admin', 'practice')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Address Book")\]);

exit;

}

  

if (!empty($\_POST)) {

if (!CsrfUtils::verifyCsrfToken($\_POST\["csrf\_token\_form"\])) {

CsrfUtils::csrfNotVerified();

Expand Down Expand Up

@@ -467,7 +473,7 @@ function typeSelect(a) {

<label for\="form\_state" class\="font-weight-bold col-form-label col-form-label-sm"\><?php echo xlt('State') . "/" . xlt('county'); ?>:</label\>

</div\>

<div class\="col"\>

<?php echo generate\_select\_list('form\_state', 'state', ($row\['state'\] ?? null), '', 'Unassigned', 'form-control-sm', 'typeSelect(this.value)'); ?>

<?php echo generate\_select\_list('form\_state', 'state', ($row\['state'\] ?? null), '', 'Unassigned', 'form-control-sm', 'typeSelect(this.value)'); ?>

</div\>

<div class\="col-2"\>

<label for\="form\_zip" class\="font-weight-bold col-form-label col-form-label-sm"\><?php echo xlt('Postal code'); ?>:</label\>

Expand Down Expand Up

@@ -498,7 +504,7 @@ function typeSelect(a) {

<label for\="form\_state2" class\="font-weight-bold col-form-label col-form-label-sm"\><?php echo xlt('Alt State') . "/" . xlt('county'); ?>:</label\>

</div\>

<div class\="col-auto"\>

<?php echo generate\_select\_list('form\_state2', 'state', ($row\['state2'\] ?? null), '', 'Unassigned', 'form-control-sm', 'typeSelect(this.value)'); ?>

<?php echo generate\_select\_list('form\_state2', 'state', ($row\['state2'\] ?? null), '', 'Unassigned', 'form-control-sm', 'typeSelect(this.value)'); ?>

</div\>

<div class\="col-auto"\>

<label for\="form\_zip2" class\="font-weight-bold col-form-label col-form-label-sm"\><?php echo xlt('Alt Postal code'); ?>:</label\>

Expand Down

CVE-2023-2944: bug fix (#6267) · openemr/openemr@723ac5d

A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230083.

CVE-2023-2928

A vulnerability was found in SeaCMS 11.6 and classified as problematic. This issue affects some unknown processing of the file member.php of the component Picture Upload Handler. The manipulation of the argument oldpic leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230081 was assigned to this vulnerability.

Tag

#php