The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. This makes it possible for unauthenticated attackers to update new order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-3200: mstore-api.php in mstore-api/trunk – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**mstore-api/trunk/assets/js/mstore-inspireui.js**

r2610824

r2925048

 

22

22

    $(document).on('blur', '.mstore-update-limit-product', function () {

23

23

        var limit = $(this).val();

 

24

        var nonce = $(this).data('nonce');

24

25

        $.ajax({

25

26

            type: 'post',

…

…

 

27

28

            data: {

28

29

                action: 'mstore\_update\_limit\_product',

29

 

                limit: limit

 

30

                limit: limit,

 

31

                nonce: nonce

30

32

            },

31

33

            success: function (result) {

…

…

 

39

41

    $(document).on('blur', '.mstore-update-firebase-server-key', function () {

40

42

        var serverKey = $(this).val();

 

43

        var nonce = $(this).data('nonce');

41

44

        $.ajax({

42

45

            type: 'post',

…

…

 

44

47

            data: {

45

48

                action: 'mstore\_update\_firebase\_server\_key',

46

 

                serverKey: serverKey

 

49

                serverKey: serverKey,

 

50

                nonce: nonce

47

51

            },

48

52

            success: function (result) {

…

…

 

56

60

    $(document).on('blur', '.mstore-update-new-order-title', function () {

57

61

        var title = $(this).val();

 

62

        var nonce = $(this).data('nonce');

58

63

        $.ajax({

59

64

            type: 'post',

…

…

 

61

66

            data: {

62

67

                action: 'mstore\_update\_new\_order\_title',

63

 

                title: title

 

68

                title: title,

 

69

                nonce: nonce

64

70

            },

65

71

            success: function (result) {

…

…

 

73

79

    $(document).on('blur', '.mstore-update-new-order-message', function () {

74

80

        var message = $(this).val();

 

81

        var nonce = $(this).data('nonce');

75

82

        $.ajax({

76

83

            type: 'post',

…

…

 

78

85

            data: {

79

86

                action: 'mstore\_update\_new\_order\_message',

80

 

                message: message

 

87

                message: message,

 

88

                nonce: nonce

81

89

            },

82

90

            success: function (result) {

…

…

 

90

98

    $(document).on('blur', '.mstore-update-status-order-title', function () {

91

99

        var title = $(this).val();

 

100

        var nonce = $(this).data('nonce');

92

101

        $.ajax({

93

102

            type: 'post',

…

…

 

95

104

            data: {

96

105

                action: 'mstore\_update\_status\_order\_title',

97

 

                title: title

 

106

                title: title,

 

107

                nonce: nonce

98

108

            },

99

109

            success: function (result) {

…

…

 

107

117

    $(document).on('blur', '.mstore-update-status-order-message', function () {

108

118

        var message = $(this).val();

 

119

        var nonce = $(this).data('nonce');

109

120

        $.ajax({

110

121

            type: 'post',

…

…

 

112

123

            data: {

113

124

                action: 'mstore\_update\_status\_order\_message',

114

 

                message: message

 

125

                message: message,

 

126

                nonce: nonce

115

127

            },

116

128

            success: function (result) {

**mstore-api/trunk/controllers/flutter-booking.php**

r2924554

r2925048

 

188

188

        global $wpdb;

189

189

        $table\_name = $wpdb->prefix . "wc\_appointment\_relationships";

190

 

        $items = $wpdb->get\_results("SELECT \* FROM $table\_name WHERE product\_id = '$product\_id'");

 

190

        $sql = $wpdb->prepare("SELECT \* FROM $table\_name WHERE product\_id = '$product\_id'");

 

191

        $items = $wpdb->get\_results($sql);

191

192

        foreach ($items as $item) {

192

193

            $user = get\_user\_by("ID", $item->staff\_id);

**mstore-api/trunk/controllers/flutter-wholesale.php**

r2924554

r2925048

 

75

75

        $role = $params\["role"\];

76

76

       

77

 

        if (isset($role) && in\_array($role, \['administrator','owner'\], true)) {

 

77

        if (!class\_exists('WooCommerceWholeSalePrices')) {

 

78

            return parent::sendError("invalid\_plugin", "You need to install WooCommerce Wholesale Prices plugin to use this api", 404);

 

79

        }

 

80

        global $wc\_wholesale\_prices;

 

81

        $data =  $wc\_wholesale\_prices->wwp\_wholesale\_roles->getAllRegisteredWholesaleRoles();

 

82

        $roles = \[\];

 

83

        $roles = array\_keys($data);

 

84

        $roles\[\] = 'subscriber';

 

85

        if (!isset($role) || !in\_array($role,$roles, true)) {

78

86

            return parent::sendError("invalid\_role", "Role is invalid.", 400);

79

87

        }

**mstore-api/trunk/mstore-api.php**

r2924554

r2925048

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.6

 

6

 \* Version: 3.9.7

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

41

41

class MstoreCheckOut

42

42

{

43

 

    public $version = '3.9.6';

 

43

    public $version = '3.9.7';

44

44

45

45

    public function \_\_construct()

…

…

 

213

213

214

214

    function mstore\_delete\_json\_file(){

215

 

        if(current\_user\_can( 'edit\_posts' )){

 

215

        if(checkIsAdmin(get\_current\_user\_id())){

216

216

            $id = sanitize\_text\_field($\_REQUEST\['id'\]);

217

217

            $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

218

218

            FlutterUtils::delete\_config\_file($id, $nonce);

 

219

        }else{

 

220

            wp\_send\_json\_error('No Permission',401);

219

221

        }

220

222

    }

…

…

 

222

224

    function mstore\_update\_limit\_product()

223

225

    {

224

 

        if(current\_user\_can( 'edit\_posts' )){

 

226

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

227

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_limit\_product')){

225

228

            $limit = sanitize\_text\_field($\_REQUEST\['limit'\]);

226

229

            if (is\_numeric($limit)) {

227

230

                update\_option("mstore\_limit\_product", intval($limit));

228

231

            }

 

232

        }else{

 

233

            wp\_send\_json\_error('No Permission',401);

229

234

        }

230

235

    }

…

…

 

232

237

    function mstore\_update\_firebase\_server\_key()

233

238

    {

234

 

        if(current\_user\_can( 'edit\_posts' )){

 

239

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

240

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_firebase\_server\_key')){

235

241

            $serverKey = sanitize\_text\_field($\_REQUEST\['serverKey'\]);

236

242

            update\_option("mstore\_firebase\_server\_key", $serverKey);

 

243

        }else{

 

244

            wp\_send\_json\_error('No Permission',401);

237

245

        }

238

246

    }

…

…

 

240

248

    function mstore\_update\_new\_order\_title()

241

249

    {

242

 

        if(current\_user\_can( 'edit\_posts' )){

 

250

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

251

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_new\_order\_title')){

243

252

            $title = sanitize\_text\_field($\_REQUEST\['title'\]);

244

253

            update\_option("mstore\_new\_order\_title", $title);

 

254

        }else{

 

255

            wp\_send\_json\_error('No Permission',401);

245

256

        }

246

257

    }

…

…

 

248

259

    function mstore\_update\_new\_order\_message()

249

260

    {

250

 

        if(current\_user\_can( 'edit\_posts' )){

 

261

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

262

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_new\_order\_message')){

251

263

            $message = sanitize\_text\_field($\_REQUEST\['message'\]);

252

264

            update\_option("mstore\_new\_order\_message", $message);

 

265

        }else{

 

266

            wp\_send\_json\_error('No Permission',401);

253

267

        }

254

268

    }

…

…

 

256

270

    function mstore\_update\_status\_order\_title()

257

271

    {

258

 

        if(current\_user\_can( 'edit\_posts' )){

 

272

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

273

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_status\_order\_title')){

259

274

            $title = sanitize\_text\_field($\_REQUEST\['title'\]);

260

275

            update\_option("mstore\_status\_order\_title", $title);

 

276

        }else{

 

277

            wp\_send\_json\_error('No Permission',401);

261

278

        }

262

279

    }

…

…

 

264

281

    function mstore\_update\_status\_order\_message()

265

282

    {

266

 

        if(current\_user\_can( 'edit\_posts' )){

 

283

        $nonce = sanitize\_text\_field($\_REQUEST\['nonce'\]);

 

284

        if(checkIsAdmin(get\_current\_user\_id()) && wp\_verify\_nonce($nonce, 'update\_status\_order\_message')){

267

285

            $message = sanitize\_text\_field($\_REQUEST\['message'\]);

268

286

            update\_option("mstore\_status\_order\_message", $message);

 

287

        }else{

 

288

            wp\_send\_json\_error('No Permission',401);

269

289

        }

270

290

    }

**mstore-api/trunk/readme.txt**

r2924554

r2925048

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.6

 

6

Stable tag:        3.9.7

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.7 =

 

47

  \* Fix security issues

 

48

46

49

\= 3.9.6 =

47

50

  \* Fix security issues

**mstore-api/trunk/templates/admin/mstore-api-admin-dashboard.php**

r2924554

r2925048

 

74

74

        ?>

75

75

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

76

 

            <input type="number" value="<?php echo (!isset($limit) || $limit == false) ? 10 : esc\_attr($limit) ?>"

 

76

            <input type="number" data-nonce="<?php echo wp\_create\_nonce('update\_limit\_product'); ?>" value="<?php echo (!isset($limit) || $limit == false) ? 10 : esc\_attr($limit) ?>"

77

77

                   class="mstore-update-limit-product">

78

78

        </div>

…

…

 

88

88

        ?>

89

89

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

90

 

            <textarea class="mstore-update-firebase-server-key mstore\_input"

 

90

            <textarea data-nonce="<?php echo wp\_create\_nonce('update\_firebase\_server\_key'); ?>" class="mstore-update-firebase-server-key mstore\_input"

91

91

                      style="height: 120px"><?php echo esc\_attr($serverKey) ?></textarea>

92

92

        </div>

…

…

 

108

108

        ?>

109

109

        <div class="form-group" style="margin-top:10px;">

110

 

            <input type="text" placeholder="Title" value="<?php echo esc\_attr($newOrderTitle); ?>"

 

110

            <input type="text" placeholder="Title" data-nonce="<?php echo wp\_create\_nonce('update\_new\_order\_title'); ?>" value="<?php echo esc\_attr($newOrderTitle); ?>"

111

111

                   class="mstore-update-new-order-title mstore\_input">

112

112

        </div>

113

113

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

114

 

            <textarea placeholder="Message" class="mstore-update-new-order-message mstore\_input"

 

114

            <textarea placeholder="Message" data-nonce="<?php echo wp\_create\_nonce('update\_new\_order\_message'); ?>" class="mstore-update-new-order-message mstore\_input"

115

115

                      style="height: 120px"><?php echo esc\_attr($newOrderMsg); ?></textarea>

116

116

        </div>

…

…

 

132

132

        ?>

133

133

        <div class="form-group" style="margin-top:10px;">

134

 

            <input type="text" placeholder="Title" value="<?php echo esc\_attr($statusOrderTitle); ?>"

 

134

            <input type="text" placeholder="Title" data-nonce="<?php echo wp\_create\_nonce('update\_status\_order\_title'); ?>" value="<?php echo esc\_attr($statusOrderTitle); ?>"

135

135

                   class="mstore-update-status-order-title mstore\_input">

136

136

        </div>

137

137

        <div class="form-group" style="margin-top:10px;margin-bottom:40px">

138

 

            <textarea placeholder="Message" class="mstore-update-status-order-message mstore\_input"

 

138

            <textarea placeholder="Message" data-nonce="<?php echo wp\_create\_nonce('update\_status\_order\_message'); ?>" class="mstore-update-status-order-message mstore\_input"

139

139

                      style="height: 120px"><?php echo esc\_attr($statusOrderMsg); ?></textarea>

140

140

        </div>

CVE-2023-3201: Changeset 2925048 for mstore-api – WordPress Plugin Repository

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2023-29372

By Owais Sultan
The Google Cloud Backup and Disaster Recovery (DR) service was introduced in September 2022, which enables centralized management…
This is a post from HackRead.com Read the original post: Essential Insights on Google Cloud Backup and Disaster Recovery Service

The Google Cloud Backup and Disaster Recovery (DR) service was introduced in September 2022, which enables centralized management of backup and DR directly from the Google Cloud console.

Wiseman categorized bikers into two main groups: those who wear protective gear and those who will eventually experience accidents. Similarly, companies can be divided into two groups when it comes to data protection: those who learn from the experiences of others and take precautions, and those who disregard the risks posed by hardware failures, site crashes, malware, viruses, software malfunctions, and human errors.

Some individuals or companies take measures to prevent data loss because they have heard stories from those who couldn’t recover from such incidents (approximately 80% of those who have experienced data loss). Additionally, larger companies face even fewer chances of successfully dealing with data loss.

In the modern business landscape, data security and protection are paramount for organizations worldwide. Numerous threats can result in data corruption, destruction, or loss. While it may be challenging to anticipate these factors, preventive measures can still be taken. This is where Backup and Disaster Recovery (DR) options come into play, ensuring the resilience and recoverability of data even in the most unexpected circumstances.

In this blog, we will explore the Backup, DR  and Google Cloud solutions and delve into the establishment of a robust infrastructure that enhances data security and protection in the face of malicious activities.

**Backup and Disaster Recovery Definition**

Let’s begin by understanding the concepts of Backup and DR.

What is data backup? Backup involves creating copies or archives of critical data and storing them in an alternate location, allowing for recovery in the event of data loss or corruption. Backup options in cloud services and on-premises infrastructure should possess the following characteristics:

*   Centralized backup management across various workloads.
*   Efficient utilization of storage to minimize costs.
*   Minimal recovery times.

On the other hand, disaster recovery (DR) refers to the processes and measures implemented to ensure the continuity of operations and the restoration of vital infrastructure following an adverse event.

When discussing Backup and DR, two essential metrics come into play when assessing the likelihood of recovering from natural or other disasters:

*   Recovery Time Objective (RTO): This is the maximum acceptable downtime for applications as per your service level agreement (SLA).
*   Recovery Point Objective (RPO): This indicates the maximum acceptable data loss duration from your application due to malicious activities.

In September 2022, Google introduced the Google Cloud Backup and DR service, which enables centralized management of Backup and DR directly from the Google Cloud console. Now, let’s delve into the key features and Google Cloud benefits for workload Backup and restoration.

**Google Cloud server backup**

Google Cloud offers its users a straightforward approach to setting up, restoring, and managing disaster recovery (DR) and various cloud backup strategies.

A key focus of the GCP backup solution is to provide a centralized management experience. What does this mean? It means that you can reduce the time spent on management and control by having a comprehensive view of your data protection.

With this capability, IT administrators can create application- and crash-consistent backups for virtual machines (VMs) on Compute Engine, VMware Engine, or on-premises VMware, as well as databases and file systems, all from a single interface. Your data will be stored in its original format, ensuring its readability for applications.

By leveraging data protection in the cloud, you can store all your valuable information in one backup storage, in a cost-effective format, without extensive translation or transition efforts. This reduces the time required for recovery and allows critical business operations to be restored more quickly.

To minimize the total cost of owning a backup solution, Google has developed a space-efficient technology called “incremental forever” storage as part of Cloud Backup and Disaster Recovery. This solution follows the principle of paying only for what you use and need. Here’s how it works: once you have your initial backup, Google Cloud will store subsequent backups by capturing only the block-level changes since the last backup session.

This approach enables faster backups, reduces the impact on production resources, minimizes network bandwidth requirements, and lowers storage costs by optimizing the amount of storage consumed by your backups.

Additionally, Google Cloud offers flexibility in terms of cost and data retention. With Google Cloud Storage, a managed service for storing unstructured data, you can choose the storage class that best suits your needs, balancing business requirements and cost efficiency.

For example, Archive Storage provides the lowest-cost option for highly durable storage, suitable for data archiving, with low-latency access, online backup, and disaster recovery capabilities, ensuring that your data is available within milliseconds.

**Key benefits of the service**

Many people mistakenly assume that storing data in the cloud automatically guarantees its safety in the face of disasters or threats like malware. However, it’s important to remember that simply using the cloud does not guarantee sufficient data security. It’s crucial to assess what backup and disaster recovery capabilities your cloud provider offers.

Here are the benefits of Google Cloud Platform (GCP) backup and disaster recovery:

1.  Streamlined data management and restoration: GCP provides centralized data management, allowing you to set up, monitor, and manage multiple workloads from a single dashboard.
2.  Minimal Recovery Point Objective (RPO): Google Cloud Backup and DR services are VMware and application-aware, supporting a wide range of databases such as MS SQL, PostgreSQL, SAP DB, Oracle, and MongoDB. This capability enables you to significantly reduce your RPO, potentially to as low as 10 minutes, without overloading your systems due to the always incremental concept.
3.  Instant recovery to eliminate downtime: With GCP, you can instantly mount your backup data to hosts, avoiding the need to wait for lengthy database restoration processes. This feature ensures that you can get back to business immediately. Additionally, if you are on-premises, you can leverage the onsite cache to restore your VMware and mount the data locally, resulting in lightning-fast recovery. Moreover, you can access any 10-minute slice of data since you started using the service.
4.  Snapshot functionality for various purposes: GCP allows you to instantly mount any slice of data as a writable snapshot, facilitating activities such as analysis, audit, legal processes, or testing.
5.  Cost optimization: Google Cloud Backup and DR Service charge you based on monthly usage, enabling you to pay only for what you actually use. The pricing is competitive, starting as low as $0.03 per GiB per month for regular data and varying for different types of databases. Additionally, Cloud Storage offers affordable space. There are no prior reservations required; you only pay for your actual data.
6.  Efficient storage utilization: GCP’s backup solution leverages incremental changes added to your initial backup, reducing the need for duplicating data. This approach saves both time and costs.
7.  Simplified infrastructure restoration: GCP allows you to restore your infrastructure with a single click. You can script complete data restoration to another region or migrate your on-premises infrastructure to the cloud within minutes, all without incurring additional costs. This feature enables you to save money while ensuring your data is highly protected. Additionally, you can schedule backup and DR testing, paying only for the target infrastructure during the time needed to restore and verify data and application integrity.

In summary, GCP Backup and DR solutions offer unique features that protect your cloud workloads from unforeseen events. They also provide a secure backup solution for on-premises data by storing it in Google Cloud. By leveraging these capabilities, you can optimize costs and benefit from efficient disaster recovery options in the cloud.

Compared to traditional legacy software and new entrants in the market, GCP’s Backup and DR functionalities stand out as a comprehensive, unique, and reliable solution.

**RELATED ARTICLES**

1.  What is Cloud Mining and How Does it Work?
2.  Google Vertex AI Vision: Revolutionizing E-Commerce?
3.  Google offers Dark Web monitoring for US Gmail users
4.  Beyond Price Point: Analyzing Differences in Cloud Storage Options
5.  Google Appoints VMware Co-founder to Charge Up Cloud Ventures

Essential Insights on Google Cloud Backup and Disaster Recovery Service

THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.

**Hydra Network Logon Cracker 9.5**

Posted Jun 13, 2023

Authored by van Hauser, thc | Site thc.org

THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.

Changes: 2 updates to http-form, 1 fix for smb2, 1 fix for smtp, and 1 fix for rdp.

tags | tool, web, imap

systems | cisco, unix

SHA-256 | 9dd193b011fdb3c52a17b0da61a38a4148ffcad731557696819d4721d1bee76b

Download | Favorite | View

Hydra Network Logon Cracker 9.5

hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.

**CVE-2023-33817 - SQL-Injection-found-in-HotelDruid-3.0.5**

HotelDruid v3.0.5 are vulnerable to SQL injection. An attacker could issue arbitrary sql command to retrieve data in databases or even execute remote code execution on target database system

This is my second repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allowed any authenticated user such as admin or any user to inject malicious sql command into affected parameter to retrieve data in databases or even execute code execution on target system. Below are the steps to reproduce and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php Affected Parameter&Component :

inizioperiodo1 fineperiodo1 inizioperiodo2 fineperiodo2 inizioperiodo3 fineperiodo3 inizioperiodo4 &fineperiodo4 inizioperiodo5 fineperiodo5 inizioperiodo6 fineperiodo6 inizioperiodo7 fineperiodo7

Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI

Step 2 : Intercept with BurpSuite, and insert some basic payload like " '%2b(select\*from(select(sleep(10)))a)%2b' " and monitor the response. the sceenshot below shows the server have returns the response after 10 seconds , it seems we can move abit deeper :-) .

Step 3 : what if we save this into a burp file and pass it to sqlmap? The screenahot below shows the result of sqkmap.

Step 4 : We can expand abit more with below sqlmap command, i choose sql-shell . The screenshot below shown we can even execute sql command by abusing the vulnerable parameter.

Ps : Above steps is just POC for vendor, actually i have climb from sql-shell to fully OS command shell, but this may need more and more steps and technique involved and i think this is beyond what CVE request us to demo .

Screenshot below show the version of HotelDruid

CVE-2023-33817: GitHub - leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5

benjjvi/PyBB is an open source bulletin board. Prior to commit dcaeccd37198ecd3e41ea766d1099354b60d69c2, benjjvi/PyBB is vulnerable to SQL Injection. This vulnerability has been fixed as of commit dcaeccd37198ecd3e41ea766d1099354b60d69c2. As a workaround, a user may be able to update the software manually to avoid this problem by sanitizing user queries to `BulletinDatabaseModule.py`.

**Impact**

We have recently identified multiple instances of CWE-89 weaknesses within the code of PyBB. These vulnerabilities pose significant risks to the security and privacy of user data. Specifically, there is a potential impact on user tables, which may be exposed, thereby compromising the confidentiality of clear-text usernames and emails. Additionally, the weaknesses undermine the integrity of hashed and salted passwords, potentially allowing malicious actors to decrypt and exploit them.

**Patches**

This CWE vulnerability has been fixed as of commit dcaeccd, and all users are advised to update to this patch as soon as possible, or follow the below instructions in the section titled Workarounds.

**Workarounds**

Although a user may be able to update the software manually to avoid this problem by sanitising user queries to BulletinDatabaseModule.py, it is highly recommended to either update the entire software, keeping the database files, or replacing just BulletinDatabaseModule.py.

To manually fix these errors, a user must have a competent knowledge of Python. The instructions to fix are as follows:

1.  Locate all SQL queries in use in the BulletinDatabaseModule.py file.
2.  Where a query appears as: c.execute(f"select * from posts where boardid = {boardid}"), replace it with c.execute("select * from posts where boardid = ? ", boardid)

**References**

Wikipedia: SQL injection.  
OWASP: SQL Injection Prevention Cheat Sheet.  
Common Weakness Enumeration: CWE-89.

CVE-2023-34249: Unsanitized request to SQL database.

An issue in Dolibarr v16.0.0 to v16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.

Vladimir had the opportunity to test the security of the Open Source CRM software Dolibarr during an intrusion test of a business tool.

> Dolibarr ERP CRM is a modern software package to manage your company or foundation’s activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, …). It is open source software (written in PHP) and designed for small and medium businesses, foundations and freelancers.
> 
> Ref: https://github.com/Dolibarr/dolibarr  

Our pentester discovered a **critical vulnerability** exploitable by an **unauthenticated attacker**. It provides access to a **competitor’s entire customer file,** prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it **affects Dolibarr 16.x versions**.

**EDIT (22/03/2023)** : Dolibarr version 16.0.5 fixes this vulnerability for v16. (https://github.com/Dolibarr/dolibarr/blob/16.0.5/ChangeLog#L34).

**EDIT2 (13/06/2023)** : CVE-2023-33568 assigned.

**Discovery of the vulnerability**

In order to perform tests on the software itself without impacting the client’s production, and having access to as much information as possible, the consultant created a local Dolibarr environment in the identified version.

The containerized image https://hub.docker.com/r/tuxgasy/dolibarr allows one to have a functional environment in minutes with Docker to start hunting for vulnerabilities. The tuxgasy/dolibarr:16 image was used to discover this vulnerability.

Without necessarily trying to delve too much into the details of the Dolibarr code base, the auditor simply listed all the PHP files accessible from the root of the web server in order to identify those which are accessible without authentication:

> **find . -type f -name “\*.php”**

One of the scripts thus accessible attracts attention because its response differs from the others:https://github.com/Dolibarr/dolibarr/blob/16.0.4/htdocs/public/ticket/ajax/ajax.php.

Reading the PHP code instructs us on the required parameters: **_action_** and **_email_**.

In particular, **_action_** must be equal to “**getContacts**“.

When all conditions are met, the following response is returned to the unauthenticated user:  
Dolibarr integrates some protections and checks that the variables sent by users do not contain suspicious patterns (XSS, SQL injections):

If the parameters have been protected in this way, the injections are therefore generally more complex to exploit.

We are therefore currently in the presence of unauthenticated access to the details of a contact, provided that the attacker knows the email address associated with it.

Digging deeper into the PHP code, the pentester lands on the SQL query called:

We can observe the use of the SQL LIKE operator: with a bit of luck the ‘**%**‘ character can be used to transform the query and make it return all the records!

All contact details are returned in a single request.

A sorting on a few fields demonstrates the interest of this vulnerability:

An attacker could access a **competitor’s entire customer file**, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved.

Attacker can get other information such as technical data about the database:

**Impact & PoC**

Dolibarr 16.x versions are affected. Version 17 disables access to this page by default, a specific Dolibarr option must be set for it to be accessible again.

The estimated CVSSv3 score is 7.5 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1), however the nature of the data and the ease of exploitation make it **a critical vulnerability**.

Linux command to reproduce the vulnerability and display some arbitrary fields:

> **curl -sk ‘\[URI\_DOLIBARR\]/public/ticket/ajax/ajax.php?action=getContacts&email=%’ | jq -r ‘.contacts\[\] | {id, socname, poste, email, phone\_perso, phone\_pro, note\_public, note\_private}’**

**Recommendations**

Business tools as important as an ERP/CRM must be properly secured:

*   Open access to the Internet only if strictly necessary (prefer VPN access)
*   Only use the plugins useful for your use cases
*   Perform regular account reviews
*   Keep the various software components up to date
*   Ensure that your access policy is correctly implemented (password complexity, 2FA, …)
*   Implement, and maintain, a policy of least privilege
*   Perform regular penetration testing (regardless of application exposure)

✅ Many Dolibarr instances are exposed on the Internet: for those which are in version 16.x remember to upgrade quickly!

**Communication with the software publisher**

Dolibarr’s Coordinated Disclosure Process is documented at the following URL: https://github.com/Dolibarr/dolibarr/security/policy.

The firs answer was (very) fast. On the other hand, the Dolibarr ecosystem could gain in security by communicating in a clear and precise manner on the vulnerabilities discovered and fixed in a centralized place, such as the Github “Security Advisories”.

21/02/2023 : First email sent by Vladimir following the Dolibarr process

21/02/2023 : Response from developer Eldy validating the vulnerability and indicating that the feature in question will be disabled with Dolibarr 17

05/03/2023 : Dolibarr v17 released

14/03/2023 : Article published

CVE-2023-33568: Dolibarr : unauthenticated contacts database theft

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Satos Satos Mobile allows SQL Injection through SOAP Parameter Tampering.This issue affects Satos Mobile: before 20230607.



CVE-2023-35064

Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5.

@@ -0,0 +1,90 @@

<?php

// Copyright (C) <2015> <it-novum GmbH>

//

// This file is dual licensed

//

// 1.

// This program is free software: you can redistribute it and/or modify

// it under the terms of the GNU General Public License as published by

// the Free Software Foundation, version 3 of the License.

//

// This program is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

// GNU General Public License for more details.

//

// You should have received a copy of the GNU General Public License

// along with this program. If not, see <http://www.gnu.org/licenses/>.

//

// 2.

// If you purchased an openITCOCKPIT Enterprise Edition you can use this file

// under the terms of the openITCOCKPIT Enterprise Edition license agreement.

// License agreement and license key will be shipped with the order

// confirmation.

  

declare(strict\_types=1);

  

use Migrations\\AbstractMigration;

  

/\*\*

\* Class UniqueIndexForIsUnique

\*

\* Created via:

\* oitc migrations create UniqueIndexForIsUnique

\*

\* Run migration:

\* oitc migrations migrate

\*

\*/

class UniqueIndexForIsUnique extends AbstractMigration {

/\*\*

\* Change Method.

\*

\* More information on this method is available here:

\* https://book.cakephp.org/phinx/0/en/migrations.html#the-change-method

\* @return void

\*/

public function change(): void {

  

if ($this\->hasTable('agentchecks')) {

$this\->table('agentchecks')

\->addIndex(

\[

'name',

\],

\['unique' => true\]

)

\->update();

}

  

if ($this\->hasTable('macros')) {

$this\->table('macros')

\->addIndex(

\[

'name',

\],

\['unique' => true\]

)

\->update();

}

  

if ($this\->hasTable('users')) {

$this\->table('users')

\->addIndex(

\[

'email',

\],

\['unique' => true\]

)

\->addIndex(

\[

'email',

'ldap\_dn'

\],

\['unique' => true\]

)

\->update();

}

  

}

}

Tag

#sql