#php

### Summary Using the Relay special `node` type you can bypass the configured security on an operation. ### Details Here is an example of how to apply security configurations for the GraphQL operations: ```php #[ApiResource( security: "is_granted('ROLE_USER')", operations: [ /* ... */ ], graphQlOperations: [ new Query(security: "is_granted('ROLE_USER')"), //... ], )] class Book { /* ... */ } ``` This indeed checks `is_granted('ROLE_USER')` as expected for a GraphQL query like the following: ```php ‌query { book(id: "/books/1") { title } } ``` But the security check can be bypassed by using the `node` field (that is available by default) on the root query type like that: ```php ‌query { node(id: "/books/1") { ... on Book { title } } } ``` This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API. ### Impa...

### Summary The `squelette` parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload `../../../../../../etc/passwd` was submitted in the `squelette` parameter. The requested file was returned in the application's response. ### Details File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem. ### PoC 1. Access the below URL to see the contents of `/etc/passwd`: **URL with payload:** `https://yeswiki.net/?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css` Similarly, contents of `wakka.config.php` can...

The device provides access to an unprotected endpoint, enabling the upload of MPFS File System binary images. Authenticated attackers can exploit this vulnerability to overwrite the flash program memory containing the web server's main interfaces, potentially leading to arbitrary code execution.

A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities…

### Summary A security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in this clause: https://github.com/api-platform/core/pull/6444/files#diff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56 https://github.com/soyuka/core/blob/7e2e8f9ff322ac5f6eb5f65baf432bffdca0fd51/src/Symfony/Security/State/AccessCheckerProvider.php#L49-L57 ### PoC Create a graphql endpoint with a security after resolver. ### Impact As this fallsback to `security`, the impact is there only when there's only a security after resolver and none inside security. The test at https://github.com/api-platform/core/pull/6444 is probably broken.

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

### Summary URLs starting with `//` are not parsed properly, and the request `REQUEST_FILENAME` variable contains a wrong value, leading to potential rules bypass. ### Details If a request is made on an URI starting with `//`, coraza will set a wrong value in `REQUEST_FILENAME`. For example, if the URI `//bar/uploads/foo.php?a=b` is passed to coraza: , `REQUEST_FILENAME` will be set to `/uploads/foo.php`. The root cause is the usage of `url.Parse` to parse the URI in [ProcessURI](https://github.com/corazawaf/coraza/blob/8b612f4e6e18c606e371110227bc7669dc714cab/internal/corazawaf/transaction.go#L768). `url.Parse` can parse both absolute URLs (starting with a scheme) or relative ones (just the path). `//bar/uploads/foo.php` is a valid absolute URI (the scheme is empty), `url.Parse` will consider `bar` as the host and the path will be set to `/uploads/foo.php`. ### PoC ```go package main import ( "fmt" "net/url" "os" "github.com/corazawaf/coraza/v3" ) const testRule = ` Sec...

UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.

A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. ### Impact - Users can exploit this flaw to receive products/services without paying the full amount. - Merchants may suffer financial losses due to underpaid orders. - Trust in the integrity of the payment process is compromised. ### Patches The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above. ### Workarounds To resolve the problem in the end application without updating to the newest patches, there is a need to overwrite `PayPalOrderCompleteProcessor` w...

Threat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs) like Quasar RAT. The vulnerability, assigned the CVE identifier CVE-2024-4577, refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code. Cybersecurity company