Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVE-2020-14641: Oracle Critical Patch Update Advisory - July 2020

The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 10 Jul 2020 13:25:18 +0200
From: Carlos Alberto Lopez Perez <clopez@...lia.com>
To: webkit-gtk@...ts.webkit.org, webkit-wpe@...ts.webkit.org
Cc: security@...kit.org, distributor-list@...me.org,
 oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: WebKitGTK and WPE WebKit Security Advisory WSA-2020-0006

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2020-0006
------------------------------------------------------------------------

Date reported           : July 10, 2020
Advisory ID             : WSA-2020-0006
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2020-0006.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2020-0006.html
CVE identifiers         : CVE-2020-9802, CVE-2020-9803, CVE-2020-9805,
                          CVE-2020-9806, CVE-2020-9807, CVE-2020-9843,
                          CVE-2020-9850, CVE-2020-13753.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2020-9802
    Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3
    Credit to Samuel Groß of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A logic issue was addressed
    with improved restrictions.

CVE-2020-9803
    Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3
    Credit to Wen Xu of SSLab at Georgia Tech.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A memory corruption issue was
    addressed with improved validation.

CVE-2020-9805
    Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    universal cross site scripting. Description: A logic issue was
    addressed with improved restrictions.

CVE-2020-9806
    Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3
    Credit to Wen Xu of SSLab at Georgia Tech.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A memory corruption issue was
    addressed with improved state management.

CVE-2020-9807
    Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3
    Credit to Wen Xu of SSLab at Georgia Tech.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A memory corruption issue was
    addressed with improved state management.

CVE-2020-9843
    Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3
    Credit to Ryan Pickren (ryanpickren.com).
    Impact: Processing maliciously crafted web content may lead to a
    cross site scripting attack. Description: An input validation issue
    was addressed with improved input validation.

CVE-2020-9850
    Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3
    Credit to @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech
    working with Trend Micro’s Zero Day Initiative.
    Impact: A remote attacker may be able to cause arbitrary code
    execution. Description: A logic issue was addressed with improved
    restrictions.

CVE-2020-13753
    Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3
    Credit to Milan Crha at Red Hat.
    The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3,
    failed to properly block access to CLONE\_NEWUSER and the TIOCSTI
    ioctl. CLONE\_NEWUSER could potentially be used to confuse xdg-
    desktop-portal, which allows access outside the sandbox. TIOCSTI can
    be used to directly execute commands outside the sandbox by writing
    to the controlling terminal's input buffer, similar to
    CVE-2017-5226.


We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.

Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK and WPE WebKit team,
July 10, 2020

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (898 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2020-13753: security - WebKitGTK and WPE WebKit Security Advisory WSA-2020-0006

openSIS through 7.4 allows Directory Traversal.

    --------------------------------------------------------------openSIS <= 7.4 (Bottom.php) Local File Inclusion Vulnerability--------------------------------------------------------------[-] Software Link:https://opensis.com/[-] Affected Versions:Version 7.4 and prior versions.[-] Vulnerability Description:The vulnerable code is located in the /Bottom.php script:36.  if(clean_param($_REQUEST['modfunc'],PARAM_ALPHA)=='print')37.  {38.    $_REQUEST = $_SESSION['_REQUEST_vars'];39.    $_REQUEST['_openSIS_PDF'] = true;40.    if(strpos($_REQUEST['modname'],'?')!==false)41.      $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));42.    else43.      $modname = $_REQUEST['modname'];44.    ob_start();45.    include('modules/'.$modname);User input passed through the "modname" request parameter is not properly sanitized before beingused in a call to the "include()" function at line 45. This can be exploited to include arbitrarylocal files and potentially access otherwise restricted functionalities or execute arbitrary PHPcode with the permissions of the webserver.[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[04/11/2019] - Vendor notified[04/11/2019] - Vendor acknowledgement[10/01/2020] - Vendor contacted again asking for updates[16/01/2020] - Vendor tried to fix the vulnerability by using "mysqli_real_escape_string()"[06/02/2020] - Vendor was informed about the inappropriate fix[25/04/2020] - Version 7.4 released, vulnerability still incorrectly fixed[22/05/2020] - CVE number assigned[30/06/2020] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2020-13383 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2020-07

CVE-2020-13383: openSIS 7.4 Local File Inclusion ≈ Packet Storm

openSIS through 7.4 allows SQL Injection.

-----------------------------------------------------  
openSIS <= 7.4 Multiple SQL Injection Vulnerabilities  
-----------------------------------------------------

[-] Software Link:

https://opensis.com/

[-] Affected Versions:

Version 7.4 and prior versions.

[-] Vulnerabilities Description:

The application is affected by multiple SQL Injection vulnerabilities,   
following are some examples:

1) User input passed through the "api_key" and "api_secret" parameters   
to '/api/SchoolInfo.php',  
'/api/StaffInfo.php', and '/api/StudentEnrollmentInfo.php' is not   
properly sanitized before being  
used to construct a SQL query. This can be exploited by unauthenticated   
attackers to e.g. read  
sensitive data from the database through error-based SQL Injection   
attacks.

2) User input passed through the "event_id" parameter to   
'/CalendarModal.php' is not properly  
sanitized before being used to construct a SQL query. This can be   
exploited by remote attackers  
to e.g. read sensitive data from the database through in-band SQL   
Injection attacks.

3) User input passed through the "course_id" parameter to   
'/modules/scheduling/MassSchedule.php'  
is not properly sanitized before being used to construct a SQL query.   
This can be exploited by  
remote attackers to e.g. read sensitive data from the database through   
SQL Injection attacks.

4) User input passed through the "student" parameter to   
'/modules/attendance/AddAbsences.php'  
is not properly sanitized before being used to construct a SQL query.   
This can be exploited by  
remote attackers to e.g. read sensitive data from the database through   
SQL Injection attacks.

NOTE: certain SQL Injection vulnerabilities in openSIS - like (3) or (4)   
- could also be  
abused to execute arbitrary PHP code due to an unsafe use of the   
"eval()" PHP function  
within the "DBGet()" function defined in the '/functions/DbGetFnc.php'   
script.

[-] Solution:

Upgrade to version 7.4 to remediate vulnerabilities (1) and (2).  
No official solution is currently available for the other   
vulnerabilities.

[-] Disclosure Timeline:

[04/11/2019] - Vendor notified  
[04/11/2019] - Vendor acknowledgement  
[10/01/2020] - Vendor contacted again asking for updates  
[15/01/2020] - Vendor replied they would need a few examples  
[20/01/2020] - Told the vendor they could use the PoC I sent them in   
November  
[05/02/2020] - Vendor asked for a video recording to demonstrate the   
vulnerabilities  
[06/02/2020] - Proof of Concept video sent to the vendor  
[06/02/2020] - Vendor informed about the correct fix for (1) and (2)   
with commit https://git.io/JJf4L  
[03/03/2020] - Vendor contacted again asking for updates about the other   
vulnerabilities  
[04/03/2020] - Vendor replied "we just have to wait a little longer"  
[25/04/2020] - Version 7.4 released, vulnerabilities still not fixed  
[22/05/2020] - CVE numbers assigned  
[30/06/2020] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2020-13380 to vulnerabilities (1) and (2),  
and name CVE-2020-13381 for the other vulnerabilities.

[-] Credits:

Vulnerabilities discovered by Egidio Romano.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-08

CVE-2020-13381: openSIS 7.4 SQL Injection ≈ Packet Storm

openSIS through 7.4 has Incorrect Access Control.

    -------------------------------------------------------openSIS <= 7.4 Incorrect Access Control Vulnerabilities-------------------------------------------------------[-] Software Link:https://opensis.com/[-] Affected Versions:Version 7.4 and prior versions.[-] Vulnerabilities Description:The application prevents unauthenticated access to its functionalities by includingthe 'RedirectIncludes.php', 'RedirectModules.php', and 'RedirectRootInc.php' scripts,which implement the access control logic by using the following code:if(!$_SESSION['STAFF_ID'] && !$_SESSION['STUDENT_ID'] && strpos($_SERVER['PHP_SELF'],'index.php')===false){     header('Location: ../../../index.php');     exit;}This can be easily bypassed by appending /index.php at the end of the URL, and canbe exploited by unauthenticated attackers to potentially access any applicationfunctionality which should require the user to be authenticated.[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[04/11/2019] - Vendor notified[04/11/2019] - Vendor acknowledgement[10/01/2020] - Vendor contacted again asking for updates[15/01/2020] - Vendor replied they would need a few examples[20/01/2020] - Told the vendor they could use the PoC I sent them in November[05/02/2020] - Vendor asked for a video recording to demonstrate the vulnerabilities[06/02/2020] - Proof of Concept video sent to the vendor[03/03/2020] - Vendor contacted again asking for updates[04/03/2020] - Vendor replied "we just have to wait a little longer"[25/04/2020] - Version 7.4 released, vulnerabilities still not fixed[22/05/2020] - CVE number assigned[30/06/2020] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2020-13382 to these vulnerabilities.[-] Credits:Vulnerabilities discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2020-06

CVE-2020-13382: openSIS 7.4 Incorrect Access Control ≈ Packet Storm

OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.

CVE-2020-14947

The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS.

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin for WordPress version 5.1.0 and below were found to be vulnerable to stored XSS while I was auditing the plugin. Plugin version 5.1.2 with improved data sanitization was released on June 24, 2020.

**CVE ID:** CVE-2020-15038

****Summary****

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. It was found to be vulnerable to stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

**Impact**

While there are multiple ways in which an attacker can perform malicious actions exploiting this vulnerability, let’s take a look at two.

*   **Redirection**:
    
    If an attacker were to exploit the vulnerability, they would be able to use an XSS payload to cause redirection such that any time the developer enables maintenance mode, a user visiting the site would be redirected to a domain under the attacker’s control, which could be made to look exactly like the original website with a login form for the user to submit their credentials. If the user submits their credentials without noticing the changed domain, their account gets compromised.
    
  
*   **Phishing**:
    
    Similarly, an attacker can also use a payload to create a login form on the Coming Soon/Maintenance Mode page itself, trying to bait unsuspecting users into entering their credentials.
    

**Vulnerability**

The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live).

    POST /wp-admin/options.php HTTP/1.1
    Host: localhost:10004
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 636
    Origin: http://localhost:10004
    Connection: close
    Cookie: ...
    
    option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=

****Timeline****

Vulnerability reported to the SeedProd team on June 22, 2020.  
Version 5.1.2 containing the fix to the vulnerability was released on June 24, 2020.

****Recommendation****

It is highly recommended to update the plugin to the latest version.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15038
*   https://nvd.nist.gov/vuln/detail/CVE-2020-15038
*   https://wordpress.org/plugins/coming-soon/#developers
*   https://wpvulndb.com/vulnerabilities/10283

For best security practices, you can follow the below guides:

*   WordPress Security Guide
*   WordPress Hack and Malware Removal

Tags: coming soon page, Cross Site Scripting, maintenance mode, seedprod, stored xss, under construction, vulnerability, WordPress, WordPress Maintenance, Wordpress Plugin Vulnerability, wordpress security, XSS

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE-2020-15038: XSS Found In Coming Soon Page and Maintenance Mode Plugin

An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.

I recently took part in a live bug hunting event:

> — OnSecurity - We're Hiring! (@HackersOnDemand) June 9, 2020

As part of these event, we reviewed the product Navigate CMS. In order to perform this review I setup a local instance of this tool, using version v2.9 r1433 (2020/06).

While taking part of this event, I managed to help identify several findings:

*   User enumeration
*   Session information leakage
*   User password reset vulnerability
*   Store Cross-Site Scripting (XSS)
*   Reflected Cross-Site Scripting (XSS)

**User Enumeration - CVE-2020-14016**

Navigate CMS has a _Forgot password?_ feature, which allows a user to reset their password if they forgot what their current password is.

Navigate CMS login page with _Forgot password?_ link.

In order to use this feature the user supplies either their username associated with their account, or the email address which is associate with their account.

Forgot password feature.

When entering the username or email address of a non-existent user, it produces and error stating that the user couldn't be found:

Result of providing details of non-existent user.

When reviewing the HTTP response it can clearly be seen that the HTTP response responds with the message _not\_found_ in the response body:

**HTTP request:**

    POST /navigate/login.php HTTP/1.1
    Host: 192.168.0.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    X-Requested-With: XMLHttpRequest
    Content-Length: 36
    Origin: http://192.168.0.130
    Connection: close
    Referer: http://192.168.0.130/navigate/login.php
    Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; navigate-tinymce-scroll=%7B%7D; NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t
    
    action=forgot-password&value=invalid
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Wed, 10 Jun 2020 16:55:33 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    Set-Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 9
    
    not_found
    

Using this one can either use something such as a wordlist to try enumeration which users exist on the system:

User enumeration of the _Forgot password?_ feature.

**Session Information Leakage - CVE-2020-14017**

Navigate CMS stores session information in plaintext files on the server in the webroot. These files are then publicly available to un-authenticated users. As part of the setup, there is an option to copy/install the appropriate _.htaccess_ files used to prevent access to this directory and files. However it appears that this doesn't prevent access with later versions of Apache HTTPD.

Depending how the server has been configured, it could be possible to view the contents of the directory:

Directory list of the directory private/sessions which contains all session files.

Upon navigating to one of the session files (most preferably the most recent), one is able to view details and sensitive information (such as CSRF tokens) which are associated with the session:

Details of session file.

If directory listing has been disabled on the webserver (such as via Apache configuration), an attacker is still able to access these files without authentication, however they would need to bruteforce the session IDs to find existing sessions and thus the existing session files:

Bruteforcing of session files.

**User Password Reset Vulnerability - CVE-2020-14015**

The _Forgot password?_ feature allows a user to reset their password. When a user successfully enters their username or email address in the forgot password feature, an email is sent the user which contains a password reset link. This link contains an _activation code_, which allows the user to then reset the password associated with their account.

When providing an invalid code, the user is presented with the login screen:

Login screen with invalid password activation code.

However a flaw exists when no code is presented, the user is prompted for a new password:

Password reset for now password activation code.

And setting the password results in success:

Password reset successful.

Upon further investigation, the reason is that when a user is created, their account is created without an activation code:

Database after user created.

When no code is supplied in the password reset process flow, the first user without an activation key will be matched and thus have their password reset.

**Stored Cross-Site Scripting - CVE-2020-14018**

While there is HTML encoding on _User_ field in the Users / Edit page, there is not sufficient encoding on the _E-Mail_ field, these leaves it vulnerable to a store XSS vulnerability:

Stored XSS from E-Mail field on the Users / Edit page.

As stated the _User_ field is appropriate HTML encoded, preventing any XSS vulnerability from this field on this page:

HTML encoding of the _User_ field.

However the E-Mail field is does not have sufficient HTML encoding, resulting in a stored XSS vulnerability:

XSS vulnerability in the _E-Mail_ field.

This stored XSS vulnerability is persisted and present from both the _User_ as well as the _E-Mail_ fields when viewing users on the _Users_ page:

Stored XSS from the _User_ field.

Stored XSS from the _E-Mail_ field.

**Reflected Cross-Site Scripting - CVE-2020-14014**

On the landing page once the user authenticates, there is a resource _/nagivate.php_ which can take the query parameter _fid_. The value from this parameter is reflected back on the page, without having appropriate validation or HTML encoding. This makes the page vulnerable to reflected XSS:

Reflected XSS from the vulnerable _fid_ query parameter.

This is since the value is reflected to a link in the top right corner of the page:

Reflected link contain the reflected XSS.

**Resolution**

Fixed as of version v2.9.1 r1487 (2020/06).

**Vendor Notification**

*   10 June 2020 - Initial contact with the vendor, indicating wish to share findings with vendor before disclosing publicly.
*   11 June 2020 - Received response from vendor expressing wish to obtain information about findings.
*   11 June 2020 - Forwarded findings to vendor.
*   17 June 2020 - Vendor shared fixes with myself and asked me to review the fixes.
*   21 June 2020 - Reviewed fixes and confirmed with vendor.
*   22 June 2020 - Vendor confirmed new version and approved public disclosure of findings.

CVE-2020-14014: Navigate CMS

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Mayfly277 opened this issue

Jun 17, 2020

· 13 comments

**Comments**

**sqli as admin v1.2.12**

There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.

**To Reproduce**

Steps to reproduce the behavior:

call /cacti/color.php?action=export&header=false&filter=')<SQLI HERE>--+-

**Expected behavior**

change the following lines :  

$sql\_where = "WHERE (name LIKE '%" . get\_request\_var('filter') . "%'

    	/* form the 'where' clause for our main sql query */
    	if (get_request_var('filter') != '') {
    		$sql_where = "WHERE (name LIKE '%" . get_request_var('filter') . "%'
    			OR hex LIKE '%" .  get_request_var('filter') . "%')";
    	} else {
    		$sql_where = '';
    }
    

You should do db_qstr('%' . get_request_var('filter') . '%') instead of '%" . get\_request\_var('filter') . "%.

**Additional context**

*   As the application accept stacked queries, this can easy lead to remote code execution by replacing the path\_php\_binary setting inside the database.

    GET /cacti/color.php?action=export&header=false&filter=1')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='touch+/tmp/sqli_from_rce;'+where+name='path_php_binary';--+- 
    

*   Then call host.php?action=reindex and get the shell\_exec called with the path\_php\_binary.  
    

Not sure if that was already covered in our current CVE tracker. Have you tested against the very latest 1.2.x branch ?

I tried with that image which use the latest release : quantumobject/docker-cacti  
And the request :

    /cacti/color.php?action=export&header=false&filter=')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;-- -`
    

Is getting back the users and hash.

The code on this function haven't change in 3 years:

But the filter change 11 months ago and that change bring the issue.

*   The actual code (1.12.x branch):

*   before the issue Non regular expression search filters don't support international characters #2839 fix the code (v1.2.6) seems to be not vulnerable :

This was resolved some time ago in the 1.2.x branch.

> This was resolved some time ago in the 1.2.x branch.

Would you have a commit reference int the 1.2.x branch which is fixing the issue?

No this is **NOT** fixed.  
I just tried with a fresh checkout of 1.2.x. and the exploit still work.  
Please reopen @TheWitness

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Thanks for verifying. And supplying a patch. Could you add the CVE number to the changelog ?

You have to be reviewing something other than the 1.2.x branch. Here is a screen capture of the 1.2.x branch. Tell me which part of this does not conform to your reasoning?

@Mayfly277, after re-reading, I think you are confused. It's "git clone -b 1.2.x ...". It's not "branch 1.12.x, it's 1.2.x.

I'll be damned. Where did that come from. Re-opening. Thanks for being persistent.

From Code: color.php always process filter by function sanitize_search_string.  
And sanitize_search_string will drop char ', , ; and )\`.  
Why your env can get SQL result.

In my test, final SQL like SQL below, all invalid char is dropped, and injection SQL around with single quot:

SELECT \*, 
        SUM(CASE WHEN local\_graph\_id\>0 THEN 1 ELSE 0 END) AS graphs, 
        SUM(CASE WHEN local\_graph\_id\=0 THEN 1 ELSE 0 END) AS templates 
    FROM (
        SELECT c.\*, local\_graph\_id 
        FROM colors AS c LEFT JOIN (
            SELECT color\_id, graph\_template\_id, local\_graph\_id FROM graph\_templates\_item WHERE color\_id\>0 
        ) AS gti ON c.id\=gti.color\_id 
    ) AS rs 
    WHERE (name LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %' 
            OR hex LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %') 
        AND read\_only\='on' 
    GROUP BY rs.id

 netniV changed the title \[security\] sqli as admin SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)

Jul 12, 2020

CVE-2020-14295: SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295) · Issue #3622 · Cacti/cacti

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 1.7k

*   Code
*   Pull requests 866
*   Actions
*   Security
*   Insights

Permalink

Browse files

Editor: Prevent HTML decoding on by setting the proper editor context.

*   Loading branch information

Showing **1 changed file** with **1 addition** and **1 deletion**.

@@ -3231,7 +3231,7 @@ function edit\_form\_image\_editor( $post ) {

  

?>

</label\>

<?php wp\_editor( $post\->post\_content, 'attachment\_content', $editor\_args ); ?>

<?php wp\_editor( format\_to\_edit( $post\->post\_content ), 'attachment\_content', $editor\_args ); ?>

  

</div\>

<?php

**0 comments on commit 0977c0d**

Please sign in to comment.

Tag

#php