#php

Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software.

A vulnerability allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after initiating the PayPal Checkout process, PayPal will not receive the updated total amount. As a result, PayPal captures only the initially transmitted amount, while Sylius incorrectly considers the order fully paid based on the modified total. This flaw can be exploited both accidentally and intentionally, potentially enabling fraud by allowing customers to pay less than the actual order value. ### Impact - Attackers can intentionally pay less than the actual total order amount. - Business owners may suffer financial losses due to underpaid orders. - Integrity of payment processing is compromised. ### Patches The issue is fixed in versions: 1.6.1, 1.7.1, 2.0.1 and above. ### Workarounds To resolve the problem in the end application without updating to the newest patches, there is a need to overwrite `ProcessPayPalOrderAction` wi...

Thorsten picks apart some headlines, highlights Talos’ report on an unknown attacker predominantly targeting Japan, and asks, “Where is the victim, and does it matter?”

### Summary Authenticated users can craft a filter string used to cause a SQL injection. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ This code does not look to sanitize inputs: https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47 c.f. with https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347 ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ ### Impact _What kind of vulnerability is it? Who is impacted?_

### Summary There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. I believe that it exists for v4 only. I have not yet developed a PoC. V5 is well designed and instead builds the signed query from the same message that will be consumed. ### Details #### What is verified The data['SignedQuery'] is the string that will be verified by the public key. It is defined here: https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217 THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery. For example, given: SAMLRequest=a&SAMLResponse=idpsigned SAMLResponse=idpsigned will be set as sigQuery, then later verified #### What is actually processed Processing uses SAMLReques...

### Impact Due to lack of limits by default in the [`explode()`](https://www.php.net/manual/en/function.explode.php) function, malicious clients were able to abuse some packets to waste server CPU and memory. This is similar to a previous security issue published in https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to: - Sign editing - LoginPacket JWT parsing - Command parsing However, the estimated impact of these issues is low, due to other limits such as the packet decompression limit. ### Patches The issue was fixed in 5.25.2 via d0d84d4c5195fb0a68ea7725424fda63b85cd831. A custom PHPStan rule has also been introduced to the project, which will henceforth require that all calls to `explode()` within the codebase must specify the `limit` parameter. ### Workarounds No simple way to fix this. Given that sign editing is the easiest way this could be exploited, workarounds could include plugins pre-proc...

Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the…

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025. "The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical

Yo, check it - the ABB BMS/BAS system's got a slick little weakness in them caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files. All you gotta do is drop that skipChecksum beat in the POST vibe, and bam, the system skips all that MD5 checksum nonsense, no EXPERTMODE needed to crank the funk. This lets any slick cat without a login slide in some jacked-up CalDAV ZIP files, no questions asked. We're talkin' tampered tunes hittin' the deck, openin' the door to messin' with the system or droppin' some nasty uploads, all unauthorized-like. That's the funky flaw, baby - straight-up tamper town.

Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.