There is an open redirect vulnerability in Titan FTP server 19.0 and below. Users are redirected to any target URL.

**Introduction**

A new vulnerability has been discovered affecting Titan FTP web server catalogued as CVE-2022-44215. Titan FTP is a commertial software created by South River Technologies that implements FTP protocol for file sharing. In its HTTP(S) version 19.X and prior, it has been proved to be vulnerable to an Open Redirection vulnerability.

**Description**

An Open redirection vulnerability consist into the server not correctly sanitizing the user’s input. Therefore, a redirection is done using the user-supplied input without sanitization (white/blacklisting). In this case, Titan FTP server performs a redirection when a backslash \ is encountered in the URL. No matter if the backslash is in plaintext or URL encoded (%5C). https://<server>\<malicious_url> will produce the server supplying a redirection to \<malicious_url>.

**Testing**

To exploit this, the browser needs to understand the protocol of the location HTTP response header. This is to contain HTTP or HTTPS. To circumvent this, it is possible to supply instead of one backslash, two of them “\\”. This will be interpreted as a protocol separator and most browsers will use HTTP protocol by default. In the end, the working payload to achieve a redirection will be something similar to this: http[s]://<server>\\<malicious_url>

To perform this test, also CURL can be used. However, bear in mind that CURL will detect it as bad crafted since “\\” is prohibited by the standard RFC 2396. To bypass this using curl we can use the following command:

Curl -i http[s]://<server> --request-target \\\\malicious.com

**Proof of concept**

Despite the issue, the exploitation is limited due to browsers normally rewrite starting backslashes “\\” into “/”, producing that attacks using directly the plaintext will not work in most of the cases. Some workarounds could be done using HTML payloads that bypass browsers URL rewrite rules.

**Conclusion**

According to Shodan, in December 2022 this server is publicly exposed at 1.278 servers worldwide:

This vulnerability could be used by attackers to perform social engineering attacks redirecting victims to fake FTP login pages or other phishing scenarios.

CVE-2022-44215: GitHub - JBalanza/CVE-2022-44215: Public disclosure of TitanFTP 19.X Open Redirection vulnerability

An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to retrieve PHP files from the server via Local File Inclusion.

Passer au contenu

*   Géomatika
    *   Présentation
    *   Réalisations
    *   Géoservices à la carte.
    *   Applications métiers
    *   Recrutement
    *   Formations
    *   Contact
*   IsiGéo
    *   IsiGéo Web
    *   IsiGéo API Js
    *   IsiGéo Apps
    *   Portail cartographique
    *   Boite à outils
    *   IsiGéo – Développements en cours
*   Solutions
    *   Cadastre / Urbanisme
    *   Logiciel Cimetière pour les Mairies
    *   Logiciel d’adressage
    *   Catalogage de plans Autocad
    *   Gestion de l’ANC ( Assainissement Non Collectif )
    *   Contrôle Poteaux Incendie
    *   Gestion d’un parc d’éclairage public
*   Mobilité
    *   Solutions terrain
    *   GPS centimétriques pour les SIG
*   npg
*   

IsiGéo web Géomatika2023-01-23T22:44:57+01:00

Page load link

Aller en haut

CVE-2023-23565: IsiGéo web

Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Nagios-XI-Reflected-XSS**

A reflected cross-site scripting (XSS) in Nagios XI 5.7.1 can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

**PoC**

To exploit vulnerability, someone could use a GET request to 'http://\[server\]/includes/components/ccm/' by manipulating 'returnUrl' parameter in the request body to impact users who open a maliciously crafted link or third-party web page.

    http://[server]/includes/components/ccm/?cmd=modify&id=1&page=1&returnUrl=%22%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&type=host

CVE-2020-23992: GitHub - EmreOvunc/Nagios-XI-Reflected-XSS: A reflected cross-site scripting (XSS) in Nagios XI 5.7.1 can result in an attacker performing malicious actions to users who open a maliciously crafted lin

Buffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.

Hi, I found a heap-buffer-overflow in WritePCXImage at pcx.c:1255  
I tested it in GraphicsMagick 1.4  
how to reproduce :

ASAN LOG

\==14178\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0x6030000000c0 at pc 0x0000028f29c0 bp 0x7ffec5056070 sp 0x7ffec5056068
WRITE of size 1 at 0x6030000000c0 thread T0
    #0 0x28f29bf in WritePCXImage /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1255:17
    #1 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2245:14
    #2 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2404:21
    #3 0x615be6 in ConvertImageCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:6135:11
    #4 0x72e875 in MagickCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:8880:17
    #5 0x810c5c in GMCommandSingle /home/suhwan/project/graphicsmagick\-code/magick/command.c:17412:10
    #6 0x80ba1e in GMCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:17465:16
    #7 0x7ff6e5aa2b96 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x21b96)
    #8 0x424239 in \_start (/home/suhwan/project/fuzz\-input\-validate/test/bin/gm+0x424239)

0x6030000000c0 is located 0 bytes to the right of 32\-byte region \[0x6030000000a0,0x6030000000c0)
allocated by thread T0 here:
    #0 0x4cc083 in \_\_interceptor\_malloc /tmp/final/llvm.src/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:146:3
    #1 0x28ddf2c in WritePCXImage /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1172:16
    #2 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2245:14
    #3 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2404:21

SUMMARY: AddressSanitizer: heap\-buffer\-overflow /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1255:17 in WritePCXImage
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa 00 00
\=>0x0c067fff8010: 05 fa fa fa 00 00 00 00\[fa\]fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==14178\==ABORTING

GraphicsMagick 1.4 snapshot-20191225 Q8 http://www.GraphicsMagick.org/  
Copyright (C) 2002-2019 GraphicsMagick Group.  
Additional copyrights and licenses apply to this software.  
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:  
Native Thread Safe yes  
Large Files (> 32 bit) yes  
Large Memory (> 32 bit) yes  
BZIP yes  
DPS no  
FlashPix no  
FreeType yes  
Ghostscript (Library) no  
JBIG yes  
JPEG-2000 no  
JPEG yes  
Little CMS yes  
Loadable Modules no  
Solaris mtmalloc no  
OpenMP yes (201107 "3.1")  
PNG yes  
TIFF yes  
TRIO no  
Solaris umem no  
WebP no  
WMF no  
X11 yes  
XML yes  
ZLIB yes

Host type: x86\_64-pc-linux-gnu

CVE-2020-21679: GraphicsMagick / Bugs / #619 heap-buffer-overflow in WritePCXImage

In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.

This is basically the same issue as #5140 just with LDAP.

2023.01.24 08:40:11 - CMDPHP PHP ERROR Backtrace: (/index.php\[25\]:include(), /include/auth.php\[158\]:require\_once(), /auth\_login.php\[99\]:ldap\_login\_process(), /lib/auth.php\[3513\]:cacti\_ldap\_auth(), /lib/ldap.php\[74\]:CactiErrorHandler())  
2023.01.24 08:40:11 - ERROR PHP DEPRECATED: Creation of dynamic property Ldap::$password is deprecated in file: /var/www/cacti/lib/ldap.php on line: 74  
2023.01.24 08:40:11 - CMDPHP PHP ERROR Backtrace: (/index.php\[25\]:include(), /include/auth.php\[158\]:require\_once(), /auth\_login.php\[99\]:ldap\_login\_process(), /lib/auth.php\[3513\]:cacti\_ldap\_auth(), /lib/ldap.php\[73\]:CactiErrorHandler())  
2023.01.24 08:40:11 - ERROR PHP DEPRECATED: Creation of dynamic property Ldap::$username is deprecated in file: /var/www/cacti/lib/ldap.php on line: 73  
2023.01.24 08:40:11 - CMDPHP PHP ERROR Backtrace: (/index.php\[25\]:include(), /include/auth.php\[158\]:require\_once(), /auth\_login.php\[99\]:ldap\_login\_process(), /lib/auth.php\[3513\]:cacti\_ldap\_auth(), /lib/ldap.php\[71\]:Ldap->\_\_construct(), /lib/ldap.php\[425\]:CactiErrorHandler())  
2023.01.24 08:40:11 - ERROR PHP DEPRECATED: Creation of dynamic property Ldap::$specific\_password is deprecated in file: /var/www/cacti/lib/ldap.php on line: 425  
2023.01.24 08:40:11 - CMDPHP PHP ERROR Backtrace: (/index.php\[25\]:include(), /include/auth.php\[158\]:require\_once(), /auth\_login.php\[99\]:ldap\_login\_process(), /lib/auth.php\[3513\]:cacti\_ldap\_auth(), /lib/ldap.php\[71\]:Ldap->\_\_construct(), /lib/ldap.php\[424\]:CactiErrorHandler())  
2023.01.24 08:40:11 - ERROR PHP DEPRECATED: Creation of dynamic property Ldap::$specific\_dn is deprecated in file: /var/www/cacti/lib/ldap.php on line: 424  
2023.01.24 08:40:11 - CMDPHP PHP ERROR Backtrace: (/index.php\[25\]:include(), /include/auth.php\[158\]:require\_once(), /auth\_login.php\[99\]:ldap\_login\_process(), /lib/auth.php\[3513\]:cacti\_ldap\_auth(), /lib/ldap.php\[71\]:Ldap->\_\_construct(), /lib/ldap.php\[423\]:CactiErrorHandler())  
2023.01.24 08:40:11 - ERROR PHP DEPRECATED: Creation of dynamic property Ldap::$search\_filter is deprecated in file: /var/www/cacti/lib/ldap.php on line: 423

Fixed it by declaring public variables:

 class Ldap {  
+	public $dn,  
+		$host,  
+		$port,  
+		$port_ssl,  
+		$version,  
+		$encryption,  
+		$referrals,  
+		$debug,  
+		$group_require,  
+		$group_dn,  
+		$group_attrib,  
+		$group_member_type,  
+		$mode,  
+		$search_base,  
+		$search_filter,  
+		$specific_dn,  
+		$specific_password,  
+		$username,  
+		$password;

CVE-2022-48538: 1.2.23 - Cacti PHP 8.2 LDAP Errors with php-ldap Installed · Issue #5189 · Cacti/cacti

The web server Tengine 2.2.2 developed in the Nginx version from 0.5.6 thru 1.13.2 is vulnerable to an integer overflow vulnerability in the nginx range filter module, resulting in the leakage of potentially sensitive information triggered by specially crafted requests.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-21699: Nginx-variants/附件(Tengine).docx at master · ZxDecide/Nginx-variants

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of crafted file.

XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils.

The core of the XZ Utils compression code is based on LZMA SDK, but it has been modified quite a lot to be suitable for XZ Utils. The primary compression algorithm is currently LZMA2, which is used inside the .xz container format. With typical files, XZ Utils create 30 % smaller output than gzip and 15 % smaller output than bzip2.

XZ Utils consist of several components:

*   liblzma is a compression library with an API similar to that of zlib.
*   xz is a command line tool with syntax similar to that of gzip.
*   xzdec is a decompression-only tool smaller than the full-featured xz tool.
*   A set of shell scripts (xzgrep, xzdiff, etc.) have been adapted from gzip to ease viewing, grepping, and comparing compressed files.
*   Emulation of command line tools of LZMA Utils eases transition from LZMA Utils to XZ Utils.

While liblzma has a zlib-like API, liblzma doesn't include any file I/O functions. A separate I/O library is planned, which would abstract handling of .gz, .bz2, and .xz files with an easy to use API.

**Documentation**

Man page with a keyword index: xz(1)

Doxygen-generated liblzma API documentation is also included in the source packages since XZ Utils 5.4.2.

**Source code**

Versions 5.2.12, 5.4.3, and later have been signed with Jia Tan's OpenPGP key. The older files have been signed with Lasse Collin's OpenPGP key.

See the NEWS file for a summary of changes between versions.

**Stable**

5.4.4 was released on 2023-08-02. A minor bug fix release 5.2.12 to the old stable branch was made on 2023-05-04. This is probably the last release in the 5.2.x series.

XZ Utils releases are hosted on GitHub and thus some of the links below redirect to the XZ Utils release section on GitHub. Release files are also available in the XZ Utils files section on Sourceforge.

xz-5.4.4.tar.gz (2808 KiB) signature  
xz-5.4.4.tar.bz2 (2116 KiB) signature  
xz-5.4.4.tar.zst (1680 KiB) signature  
xz-5.4.4.tar.xz (1623 KiB) signature

Probably the last release of the old stable branch:

xz-5.2.12.tar.gz (2140 KiB) signature  
xz-5.2.12.tar.bz2 (1593 KiB) signature  
xz-5.2.12.tar.zst (1317 KiB) signature  
xz-5.2.12.tar.xz (1275 KiB) signature

**Development**

The new APIs, command line options etc. in development releases should be considered unstable. Incompatible changes to unstable features may be done before they get included in a stable release.

There currently are no development releases.

**Old versions**

Source and binary packages of old XZ Utils releases are available on a separate page.

**Git repository**

The primary repository is on GitHub:

git clone https://github.com/tukaani-project/xz

It is mirrored with some delay to git.tukaani.org:

git clone https://git.tukaani.org/xz.git

Gitweb

Branches:

*   **master**: the latest development code
*   **v5.4**: fixes for the next 5.4.x release
*   **v5.2**: fixes for the next 5.2.x release
*   **v5.0**: fixes for the next 5.0.x release (unmaintained)

Building the code from the git repository requires GNU Autotools. Here are the _minimum_ versions that should work with XZ Utils; using the latest versions is strongly recommended:

*   Autoconf 2.69
*   Automake 1.12
*   gettext 0.19.6 (Note: autopoint depends on cvs!)
*   Libtool 2.4

The following are optional dependencies. The autogen.sh script will fail if they are missing but autogen.sh takes command line arguments to disable these dependencies.

*   po4a is needed for translated documentation (man pages). To build without po4a, use --no-po4a with autogen.sh.
*   Doxygen is needed to generate liblzma API documentation. To build without Doxygen, use --no-doxygen with autogen.sh.

**Security issues****xzgrep CVE-2022-1271, ZDI-CAN-16587**

A patch to fix a security vulnerability in xzgrep (CVE-2022-1271, ZDI-CAN-16587) was made public on 2022-04-07. The patch applies to 4.999.9beta to 5.2.5, 5.3.1alpha, and 5.3.2alpha. Newer XZ Utils releases include an improved fix for the problem.

It is a severe issue if an attacker can control the filenames that are given on the xzgrep command line. The vulnerability was discovered by cleemy desu wayo working with Trend Micro Zero Day Initiative. For more information, see the detailed description in the patch file linked below.

xzgrep-ZDI-CAN-16587.patch  
xzgrep-ZDI-CAN-16587.patch.sig

**Bindings****Python**

Python 3.3 includes bindings for liblzma. A backport of these bindings are available for Python 2 in the backports.lzma package.

lzmaffi is another Python binding which adds random-access decompression support.

The original Python 2 binding for liblzma is PylibLZMA.

**Perl**

Perl bindings for liblzma: IO-Compress-Lzma and Compress-Raw-Lzma.

**Haskell**

Haskell bindings.

**Delphi and Free Pascal**

Bindings and example programs for Delphi and Free Pascal are available here.

**Pre-built binaries**

Many free software operating systems already provide easy-to-install XZ Utils binaries. It doesn't make sense to provide links to all those here. Instead, binaries or links to websites providing binaries are listed here only for operating systems that don't have well-known repositories where users would get software like this.

If you have a website that provides up-to-date XZ Utils binaries for an operating system that meets the the criteria above, let me know and I will include a link here. Note that I won't host the binaries themselves without a good reason.

**Windows**

The Windows version of XZ Utils includes binaries for 32-bit and 64-bit x86. The binaries only depend on msvcrt.dll, which is available on Windows 98 and later out of the box.

*   Command line tools: xz, xzdec, lzmadec, lzmainfo
*   Shared (DLL) and static liblzma, required C header files, and liblzma.def to create import libraries for non-GNU toolchains (no import library is needed with GNU toolchain)
*   Documentation is in plain text (UTF-8) format. The man pages of the command line tools are included also as PDF.

5.2.10, 5.2.11, or 5.2.12 do not have anything significant for Windows so only 5.2.9 is here. 5.4.x builds are not provided for now.

xz-5.2.9-windows.zip (1473 KiB) signature  
xz-5.2.9-windows.7z (708 KiB) signature

**DOS**

The DOS version of XZ Utils includes only the xz command line tool and some documentation. The xz tool should work e.g. on FreeDOS (also in DOSEMU), MS-DOS, and Windows 95/98/98SE/ME. This doesn't necessarily work in DOSBox at all, and at least some problems are expected under Windows XP Command Prompt (signal handling doesn't work).

Since the DOS version is naturally going to get very little testing, it is recommended to use the Windows version instead of the DOS version if you need xz under Windows 98 or later. It is likely that that the DOS version will be updated only occasionally.

5.2.0 and later have experimental support for 8.3 filenames. See xz-dos.txt in the binary package or dos/README.txt in the source package for details.

xz-5.4.0-dos.zip (277 KiB) signature

The package includes some copylefted code from DJGPP and CWSDPMI. The relevant source code is available from their home pages, and copies are also available below.

djlsr205.zip (2000 KiB)  
djtst205.zip (1061 KiB)  
csdpmi7s.zip (88 KiB)

Juan Manuel Guerrero has made a more complete port of XZ Utils to DOS. It also has support for short file names (8.3), but the naming method is different from the one found in 5.2.0 and later. It is available from DJGPP mirrors under /current/v2apps (e.g. xz-500b.zip for 5.0.0 binaries).

**Supported platforms**

Below is an incomplete and somewhat vague (version numbers mostly missing) list of operating systems on which XZ Utils should work. The compiler(s) or toolchains are mentioned in parenthesis. GCC refers to GCC 3 or later. If you have additions or corrections, please email them to me.

*   GNU/Linux (GCC, Clang, ICC, IBM XL C)
*   GNU/HURD (GCC)
*   DragonflyBSD (GCC)
*   FreeBSD (GCC, Clang)
*   MirBSD (GCC)
*   NetBSD (GCC)
*   OpenBSD (Clang, GCC)
*   MINIX 3 (GCC) \[1\]
*   Haiku (GCC4)
*   Mac OS X (GCC)
*   Solaris 8, 9, 10, 11 (GCC, Sun Studio) \[3\]
*   Solaris 2.6, 7 (GCC)
*   HP-UX (GCC, HP ANSI C) \[2\]
*   Tru64 (GCC, Compaq C compiler) \[1\]
*   IRIX (MIPSpro) \[1\]
*   AIX (GCC, IBM XL C)
*   z/OS (IBM XL C)
*   QNX (compilers?)
*   OpenVMS (HP C compiler) \[1\]
*   OpenVOS 17 (GCC)
*   SCO OpenServer 5.0.7 (GCC 3.4.6, 4.2.4) \[4\]
*   Windows 95 and later (GCC/MinGW, GCC/MinGW-w64, GCC/Cygwin, GCC/Interix, Visual Studio (VS can only build liblzma)) \[1\]
*   OS/2, eComStation (GCC)
*   DOS e.g. FreeDOS and MS-DOS (GCC/DJGPP) \[1\]

\[1\] See also the platform-specific notes in the INSTALL file.

\[2\] 2010-09-22: HP ANSI C compiler crashes when compiling XZ Utils on PA-RISC. On Itanium there are no problems.

\[3\] On Solaris 8 and 9 one may need to pass ac\_cv\_prog\_cc\_c99= to configure if using Sun Studio.

\[4\] Use --disable-threads when running configure.

**Licensing**

The most interesting parts of XZ Utils (e.g. liblzma) are in the public domain. You can do whatever you want with the public domain parts.

Some parts of XZ Utils (e.g. build system and some utilities) are under different free software licenses such as GNU LGPLv2.1, GNU GPLv2, or GNU GPLv3.

See the file COPYING for more details.

CVE-2020-22916: XZ Utils

An issue discovered in Samsung SyncThru Web Service SPL 5.93 06-09-2014 allows attackers to gain escalated privileges via MITM attacks.

CVE-2021-35309: cve-subscriptions/samsung-stws at main · mustafa-turgut/cve-subscriptions

The json2xml package through 3.12.0 for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.

This section covers how to use the public PyPI download statistics dataset to learn more about downloads of a package (or packages) hosted on PyPI. For example, you can use it to discover the distribution of Python versions used to download a package.

Contents

*   Background
    
*   Public dataset
    
    *   Getting set up
        
    *   Data schema
        
    *   Useful queries
        
        *   Counting package downloads
            
        *   Package downloads over time
            
        *   Python versions over time
            
        *   Getting absolute links to artifacts
            
*   Caveats
    
*   Additional tools
    
    *   google-cloud-bigquery
        
    *   pypinfo
        
    *   pandas-gbq
        
*   References
    

**Background¶**

PyPI does not display download statistics for a number of reasons: 1

*   **Inefficient to make work with a Content Distribution Network (CDN):** Download statistics change constantly. Including them in project pages, which are heavily cached, would require invalidating the cache more often, and reduce the overall effectiveness of the cache.
    
*   **Highly inaccurate:** A number of things prevent the download counts from being accurate, some of which include:
    
    *   pip’s download cache (lowers download counts)
        
    *   Internal or unofficial mirrors (can both raise or lower download counts)
        
    *   Packages not hosted on PyPI (for comparisons sake)
        
    *   Unofficial scripts or attempts at download count inflation (raises download counts)
        
    *   Known historical data quality issues (lowers download counts)
        
*   **Not particularly useful:** Just because a project has been downloaded a lot doesn’t mean it’s good; Similarly just because a project hasn’t been downloaded a lot doesn’t mean it’s bad!
    

In short, because it’s value is low for various reasons, and the tradeoffs required to make it work are high, it has been not an effective use of limited resources.

**Public dataset¶**

As an alternative, the Linehaul project streams download logs from PyPI to Google BigQuery 2, where they are stored as a public dataset.

**Getting set up¶**

In order to use Google BigQuery to query the public PyPI download statistics dataset, you’ll need a Google account and to enable the BigQuery API on a Google Cloud Platform project. You can run up to 1TB of queries per month using the BigQuery free tier without a credit card

*   Navigate to the BigQuery web UI.
    
*   Create a new project.
    
*   Enable the BigQuery API.
    

For more detailed instructions on how to get started with BigQuery, check out the BigQuery quickstart guide.

**Data schema¶**

Linehaul writes an entry in a bigquery-public-data.pypi.file_downloads table for each download. The table contains information about what file was downloaded and how it was downloaded. Some useful columns from the table schema include:

  

Column

Description

Examples

timestamp

Date and time

2020-03-09 00:33:03 UTC

file.project

Project name

pipenv, nose

file.version

Package version

0.1.6, 1.4.2

details.installer.name

Installer

pip, bandersnatch

details.python

Python version

2.7.12, 3.6.4

**Useful queries¶**

Run queries in the BigQuery web UI by clicking the “Compose query” button.

Note that the rows are stored in a partitioned table, which helps limit the cost of queries. These example queries analyze downloads from recent history by filtering on the timestamp column.

**Counting package downloads¶**

The following query counts the total number of downloads for the project “pytest”.

#standardSQL
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()

num\_downloads

26190085

To count downloads from pip only, filter on the details.installer.name column.

#standardSQL
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  AND details.installer.name = 'pip'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()

num\_downloads

24334215

**Package downloads over time¶**

To group by monthly downloads, use the TIMESTAMP_TRUNC function. Also filtering by this column reduces corresponding costs.

#standardSQL
SELECT
  COUNT(\*) AS num\_downloads,
  DATE\_TRUNC(DATE(timestamp), MONTH) AS \`month\`
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE
  file.project = 'pytest'
  -- Only query the last 6 months of history
  AND DATE(timestamp)
    BETWEEN DATE\_TRUNC(DATE\_SUB(CURRENT\_DATE(), INTERVAL 6 MONTH), MONTH)
    AND CURRENT\_DATE()
GROUP BY \`month\`
ORDER BY \`month\` DESC

 

num\_downloads

month

1956741

2018-01-01

2344692

2017-12-01

1730398

2017-11-01

2047310

2017-10-01

1744443

2017-09-01

1916952

2017-08-01

**Python versions over time¶**

Extract the Python version from the details.python column. Warning: This query processes over 500 GB of data.

#standardSQL
SELECT
  REGEXP\_EXTRACT(details.python, r"\[0-9\]+\\.\[0-9\]+") AS python\_version,
  COUNT(\*) AS num\_downloads,
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE
  -- Only query the last 6 months of history
  DATE(timestamp)
    BETWEEN DATE\_TRUNC(DATE\_SUB(CURRENT\_DATE(), INTERVAL 6 MONTH), MONTH)
    AND CURRENT\_DATE()
GROUP BY \`python\_version\`
ORDER BY \`num\_downloads\` DESC

 

python

num\_downloads

3.7

18051328726

3.6

9635067203

3.8

7781904681

2.7

6381252241

null

2026630299

3.5

1894153540

**Getting absolute links to artifacts¶**

It’s sometimes helpful to be able to get the absolute links to download artifacts from PyPI based on their hashes, e.g. if a particular project or release has been deleted from PyPI. The metadata table includes the path column, which includes the hash and artifact filename.

Note

The URL generated here is not guaranteed to be stable, but currently aligns with the URL where PyPI artifacts are hosted.

SELECT
  CONCAT('https://files.pythonhosted.org/packages', path) as url
FROM
  \`bigquery-public-data.pypi.distribution\_metadata\`
WHERE
  filename LIKE 'sampleproject%'

url

https://files.pythonhosted.org/packages/eb/45/79be82bdeafcecb9dca474cad4003e32ef8e4a0dec6abbd4145ccb02abe1/sampleproject-1.2.0.tar.gz

https://files.pythonhosted.org/packages/56/0a/178e8bbb585ec5b13af42dae48b1d7425d6575b3ff9b02e5ec475e38e1d6/sampleproject\_nomura-1.2.0-py2.py3-none-any.whl

https://files.pythonhosted.org/packages/63/88/3200eeaf22571f18d2c41e288862502e33365ccbdc12b892db23f51f8e70/sampleproject\_nomura-1.2.0.tar.gz

https://files.pythonhosted.org/packages/21/e9/2743311822e71c0756394b6c5ab15cb64ca66c78c6c6a5cd872c9ed33154/sampleproject\_doubleyoung18-1.3.0-py2.py3-none-any.whl

https://files.pythonhosted.org/packages/6f/5b/2f3fe94e1c02816fe23c7ceee5292fb186912929e1972eee7fb729fa27af/sampleproject-1.3.1.tar.gz

**Caveats¶**

In addition to the caveats listed in the background above, Linehaul suffered from a bug which caused it to significantly under-report download statistics prior to July 26, 2018. Downloads before this date are proportionally accurate (e.g. the percentage of Python 2 vs. Python 3 downloads) but total numbers are lower than actual by an order of magnitude.

**Additional tools¶**

Besides using the BigQuery console, there are some additional tools which may be useful when analyzing download statistics.

**google-cloud-bigquery¶**

You can also access the public PyPI download statistics dataset programmatically via the BigQuery API and the google-cloud-bigquery project, the official Python client library for BigQuery.

from google.cloud import bigquery

\# Note: depending on where this code is being run, you may require
\# additional authentication. See:
\# https://cloud.google.com/bigquery/docs/authentication/
client \= bigquery.Client()

query\_job \= client.query("""
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()""")

results \= query\_job.result()  \# Waits for job to complete.
for row in results:
    print("{} downloads".format(row.num\_downloads))

**pypinfo¶**

pypinfo is a command-line tool which provides access to the dataset and can generate several useful queries. For example, you can query the total number of download for a package with the command pypinfo package_name.

Install pypinfo using pip.

python3 \-m pip install pypinfo

Usage:

$ pypinfo requests
Served from cache: False
Data processed: 6.87 GiB
Data billed: 6.87 GiB
Estimated cost: $0.04

| download\_count |
| -------------- |
|      9,316,415 |

**pandas-gbq¶**

The pandas-gbq project allows for accessing query results via Pandas.

**References¶**

1

PyPI Download Counts deprecation email

2

PyPI BigQuery dataset announcement email

CVE-2022-25024: Analyzing PyPI package downloads — Python Packaging User Guide

A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php.

**v1.1.38 Stored XSS in user\_admin.php**

When creating a new user on /cacti/user\_admin.php, using the “copy” method, it is possible to bypass user input validation. This allows for the creation of a user called <script>alert(1)</script>.

_This username just meets the max characters allowed. However, this restriction can be circumvented to allow for longer usernames/XSS payloads by using a web application proxy and editing the request before it is sent to the server._

The stored XSS payload can be executed by clicking in the user’s profile and visiting the “General”, “Permissions”, or “User Settings” tabs.

    http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#}&tab=general
    http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#]&tab=realms
    http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#]&tab=settings
    

**v1.1.38 Bypass Input Validation in user\_group\_admin.php**

The same vulnerability, of using the “copy” approach to bypass input validation, exists on the user\_group\_admin.php page. However, I was unable to use the web application proxy trick to extend the field name.

When trying to go back and delete this, I ran into some issues that required me to manually go into the database and remove the group from the “user\_auth\_group” table.

_EDIT_ - As a PoC I was able to use this for htlm injection, by creating the group <h1>test</h1>. However, the code only rendered when going back to delete the account:  

**_Side-Note:_ <=0.8.7g Reflected XSS in auth\_changepassword.php**

I started looking into Cacti after I ran into version 0.8.7g for a customer. There were several reflected xss vulnerabilities after authentication, but I came across this one in auth\_changepassword.php that I did not see very well documented _(I could be wrong about that)_.

    /auth_changepassword.php?ref=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
    

  
Looking at the code itself I saw a hidden parameter that does not validate user input. This code was modified in the later versions 0.8.7.h+.

\-m8r0wn

Tag

#web