#php

Human Resource Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to Abdulhakim Oner in March of 2023.

RUPPEINVOICE version 1.0 suffers from a remote SQL injection vulnerability.

DataCube3 version 1.0 suffers from a remote shell upload vulnerability.

NDtaskmatic version 1.0 suffers from a remote SQL injection vulnerability.

The Rich Filemanager feature of Artica Proxy versions 4.40 and 4.50 provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. This provides an unauthenticated attacker complete access to the file system.

The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the www-data user. Version 4.50 is affected.

Artica Proxy versions 4.40 and 4.50 suffer from a local file inclusion protection bypass vulnerability that allows for path traversal.

### Summary If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by `BaseInventory->getItem()`. ### Details Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873 ### PoC Using Gophertunnel, use `serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})` ### Impact Server crash, all servers ### Patched versions This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.

### Summary - Due to insufficient permission verification, user who can write a page use frontmatter feature. - Inadequate File Name Validation ### Details 1. Insufficient Permission Verification In Grav CMS, "[Frontmatter](https://learn.getgrav.org/17/content/headers)" refers to the metadata block located at the top of a Markdown file. Frontmatter serves the purpose of providing additional information about a specific page or post. In this feature, only administrators are granted access, while regular users who can create pages are not. However, if a regular user adds the data[_json][header][form] parameter to the POST Body while creating a page, they can use Frontmatter. The demonstration of this vulnerability is provided in video format. [Video Link](https://www.youtube.com/watch?v=EU1QA0idoWE) 2. Inadequate File Name Validation To create a Contact Form, Frontmatter and markdown can be written as follows: [Contact Form Example](https://learn.getgrav.org/17/forms/forms/example-fo...

### Impact The Symfony Session Handler, pop's the Session Cookie and assign it to the Response. Since Shopware 6.5.8.0 the 404 pages, are cached, to improve the performance of 404 pages. So the cached Response, contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Session configuration has been done. When Redis is in use for Sessions using the PHP Redis extension, this exploiting code is not used. ### Patches Update to Shopware version 6.5.8.7 ### Workarounds Using Redis for Sessions, as this does not trigger the exploit code. Example configuration for Redis ```ini # php.ini session.save_handler = redis session.save_path = "tcp://127.0.0.1:6379" ``` ## Consequences As an guest browser session has been cached on a 404 page, every missing image or directly reaching a 404 page will logout the customer or clear his cart.